MS-ISAC NOTICE NUMBER:
2026-066
ISSUE DATE(S):
01/07/2026
PREVIEW:
Several vulnerabilities have been discovered in Adobe products, the most serious of which could allow the execution of arbitrary code.
- Adobe Campaign Classic is an enterprise marketing automation platform that helps organizations design, automate and track complex, personalized cross-channel marketing campaigns.
- Adobe ColdFusion is a commercial rapid web application development platform used to create and deploy dynamic web and mobile applications.
Successful exploitation of the most severe of these vulnerabilities could allow execution of arbitrary code in the context of the logged in user. Depending on the privileges associated with the user, an attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system might be less affected than those who operate with administrative user rights.
THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:
- Adobe Campaign Classic ACC v7: 7.4.3 build 9396 and earlier
- ColdFusion 2025 Update 9 and earlier versions
- ColdFusion 2023 Update 20 and earlier versions
RISK:
Government:
Large and medium government entities
Small government
Companies:
Large and medium business entities
Small business entities
TECHNICAL SUMMARY:
Several vulnerabilities have been discovered in Adobe products, the most serious of which could allow the execution of arbitrary code. The details of these vulnerabilities are as follows:
Tactical: Execution (TA0002)
Technical: Operation for customer execution (T1203):
Adobe Classic Campaign:
- Incorrect authorization (CVE-2026-48286)
Adobe ColdFusion:
- Unrestricted download of dangerous file type (CVE-2026-48276, CVE-2026-48283)
- Incorrect input validation (CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CVE-2026-48315)
- Incorrect limitation of a path name to a restricted directory (“Path Traversal”) (CVE-2026-48282, CVE-2026-48313, CVE-2026-48314)
- Cross-site scripting (Reflected XSS) (CVE-2026-48307)
- Server-Side Request Forgery (SSRF) (CVE-2026-48285)
Successful exploitation of the most severe of these vulnerabilities could allow execution of arbitrary code in the context of the logged in user. Depending on the privileges associated with the user, an attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system might be less affected than those who operate with administrative user rights.
RECOMMENDATIONS:
We recommend that the following actions be taken:
- Apply the stable channel update provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update software)
- Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
- Safeguard 7.2: Establish and maintain a remediation process: Establish and maintain a risk-based remediation strategy, documented in a remediation process, with monthly or more frequent reviews.
- Backup 7.6: Perform automated vulnerability scans of externally exposed enterprise assets: Perform automated vulnerability scans of externally exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly or more frequent basis.
- Backup 7.7: Fix detected vulnerabilities: Remediate detected vulnerabilities in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
- Backup 16.13: Perform application penetration testing: Perform application penetration testing. For mission-critical applications, authenticated penetration testing is better suited to detecting business logic vulnerabilities than code analysis and automated security testing. Penetration testing relies on the tester’s ability to manually manipulate an application as an authenticated and unauthenticated user.
- Backup 18.1: Establish and maintain a penetration testing program: Establish and maintain a penetration testing program appropriate to the size, complexity and maturity of the company. Penetration testing program characteristics include scope, such as network, web application, application programming interface (API), hosted services, and physical premises controls; frequency; limitations, such as acceptable hours and excluded types of attacks; contact details; corrective actions, such as how results will be communicated internally; and retrospective requirements.
- Backup 18.2: Perform periodic external penetration tests: Perform periodic external penetration testing based on program requirements, at least annually. External penetration testing should include reconnaissance of the business and environment to detect actionable information. Penetration testing requires specialist skills and experience and should be carried out by a qualified party. The test can be carried out in a transparent box or an opaque box.
- Backup 18.3: Results of corrective penetration tests: Remediate penetration test results based on company policy for scope and priority of remediation.
- Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to lessen the effects of a successful attack. (M1026: Privileged account management)
- Backup 4.7: Manage default accounts on company assets and software: Manage default accounts on company assets and software, such as root, administrator, and other preconfigured vendor accounts. Example implementations may include: disabling default accounts or rendering them unusable.
- Backup 5.4: Restrict administrator privileges to dedicated administrator accounts: Limit administrator privileges to dedicated administrator accounts on company assets. Perform general computing activities, such as browsing the Internet, email, and using the Productivity Suite, from the user’s primary, non-privileged account.
- Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict web content)
- Backup 2.3: Address unauthorized software: Ensure unauthorized software is removed from use on company assets or given a documented exception. Review monthly or more frequently.
- Backup 2.7: Authorized list of authorized scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc. files, are allowed to run. Block the execution of unauthorized scripts. Reassess every two years or more frequently.
- Backup 9.3: Maintain and apply network-based URL filters: Apply and update network-based URL filters to prevent a business asset from connecting to potentially malicious or untrusted websites. Example implementations include category-based filtering, reputation-based filtering, or the use of blocklists. Apply filters for all company assets.
- Backup 9.6: Block unnecessary file types: Block unnecessary file types that attempt to access the company’s email gateway.
- Use features to detect and block conditions that could lead to or indicate the occurrence of a software exploit. (M1050: Exploit protection)
- Backup 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on company assets and software where possible, like Microsoft? Data Execution Prevention (DEP), Windows? Defender Exploit Guard (WDEG) or Apple? System Integrity Protection (SIP) and Gatekeeper™.
- Block code execution on a system through application control and/or script blocking. (M1038: Execution Prevention)
- Backup 2.5: Authorized list of authorized software: Use technical controls, such as application whitelisting, to ensure that only authorized software can run or be accessed. Reassess every two years or more frequently.
- Backup 2.6: Allowed list of allowed libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc. files, are allowed to load into a system process. Prevent unauthorized libraries from loading into a system process. Reassess every two years or more frequently.
- Backup 2.7: Authorized list of authorized scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc. files, are allowed to run. Block execution of unauthorized scripts. Reassess every two years or more frequently.
- Use features to prevent suspicious behavior patterns from appearing on endpoint systems. This could include a suspicious process, file, API call, etc. (M1040: Preventing Endpoint Behaviors)
- Backup 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets where applicable and/or supported.
- Backup 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets where applicable and/or supported. Example implementations include using an Endpoint Detection and Response (EDR) client or a host-based IPS agent.





