Adobe patches seven max severity ColdFusion, Campaign flaws

Adobe has just released patches for seven critical vulnerabilities in its ColdFusion web app development platform and Campaign Classic marketing automation platform. These vulnerabilities, six of which affect ColdFusion and one affecting Campaign Classic, can be exploited remotely without user interaction to gain code execution or arbitrary code execution on unpatched systems. This is a serious situation that requires immediate attention from administrators.

The affected platforms include ColdFusion versions 2025.9 and earlier, as well as Campaign Classic version 7.4.3 build 9396 and earlier. The vulnerabilities can be exploited by attackers to gain remote code execution on unpatched systems, which could lead to a range of malicious activities such as data theft or system compromise. Adobe has emphasized the need for administrators to install the patches as soon as possible, ideally within 72 hours.

It’s worth noting that Adobe is not aware of any exploits in the wild for these vulnerabilities at this time, but the fact that they are being patched suggests that there could be a risk of exploitation in the future. This highlights the importance of regular security updates and patching to prevent attacks from succeeding. By installing the latest patches, administrators can ensure that their systems are protected against these potential threats.

One of the affected vulnerabilities, tracked as CVE-2026-48286, only affects on-premises Adobe Campaign instances, including fully on-premises deployments and on-premises components in hybrid deployments. This is a reminder that even if you’re using cloud-hosted services, there can still be risks associated with on-premises systems.

Adobe’s decision to switch to twice-monthly security bulletins is also worth noting. Starting from July 14th, the company will publish security updates every two weeks, which could help to reduce the time between vulnerability discovery and patching. This change aims to provide faster responses to potential threats and reduce the risk of attacks succeeding.

The recent patch release follows Adobe’s move in early April to fix an Acrobat Reader vulnerability that had been exploited in zero-day attacks since at least December. The company has a history of releasing patches for critical vulnerabilities, but this latest development serves as a reminder of the importance of staying up-to-date with security updates and patching.

For administrators, this patch release should be taken seriously, especially given the fact that six of the affected ColdFusion vulnerabilities can be exploited without privileges to gain remote code execution. Installing the latest patches is crucial to preventing potential attacks from succeeding, and it’s essential to prioritize regular security updates and patching to maintain a secure environment.

In practical terms, this means that administrators should immediately review their systems for any vulnerable versions of ColdFusion or Campaign Classic and apply the latest patches as soon as possible. This will not only help to prevent potential attacks but also demonstrate a proactive approach to security, which is essential in today’s threat landscape.


Source: Bleeping Computer — 2026-07-01