INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Adobe Patches ColdFusion Flaws in Campaign Classic
| 2026-07-01 15:25 CRITICAL LOWExecutive Summary AI-generated
The latest incident data reveals a critical vulnerability in Adobe ColdFusion and Campaign Classic, with multiple maximum-severity security flaws impacting these software applications. The vulnerabilities were identified on July 1, 2026, and have been patched by Adobe as of the same date. These exploits include arbitrary code execution, privilege escalation, file system read access, and security feature bypass. Researchers Anirudh Anand, Matan Sandori, and 2Bsecure have discovered and reported these vulnerabilities, which were later fixed in version ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux. The disclosure comes as Adobe shifts from monthly to twice-monthly publication of security bulletins and advisories starting July 14, 2026, due to accelerated vulnerability discovery using advanced techniques.
Technical Mitigations AI-generated
* Implement secure coding practices and input validation mechanisms to prevent arbitrary code execution vulnerabilities.
* Regularly update Adobe ColdFusion and Campaign Classic versions to ensure that known security flaws are patched before they can be exploited by attackers.
* Use a web application firewall (WAF) or intrusion detection system (IDS) to detect and block low-complexity attacks, such as those targeting vulnerable software like Adobe ColdFusion and Campaign Classic.
* Monitor system logs and network traffic for suspicious activity that may indicate an attack is in progress, and take prompt action if necessary.
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Campaign ClassicCampaign Classic
CVE-2026-48286CVE-2026-48286
CVE-2026-48282CVE-2026-48282
CVE-2026-48313CVE-2026-48313
CVE-2026-48307CVE-2026-48307
CVE-2026-48283CVE-2026-48283
CVE-2026-48276CVE-2026-48276
CVE-2026-48316CVE-2026-48316
CVE-2026-48277CVE-2026-48277
CVE-2026-48315CVE-2026-48315
CVE-2026-48281CVE-2026-48281
CVE-2026-34621CVE-2026-34621
Target & Sectors
Global Scope
Incident Timeline
Jul 01, 2026
Threat actors used Adobe Campaign Classic to exploit an improper input validation vulnerability in ColdFusion.
Click on any entity below to view its context and source!
organisation
Adobe
The ColdFusion updates "resolves critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass," Adobe said in an alert released Tuesday.
infrastructure
Windows
Separately, Adobe has also
shipped
fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution.
infrastructure
Linux
Separately, Adobe has also
shipped
fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution.
infrastructure
7.4.3
Separately, Adobe has also
shipped
fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution.
It has been patched in version ACC v7: 7.4.3 build 9397.
organisation
Adobe Campaign Classic
Separately, Adobe has also
shipped
fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution.
organisation
ACC
Separately, Adobe has also
shipped
fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution.
organisation
CVSS
The
vulnerabilities
are listed below -
CVE-2026-48276, CVE-2026-48283
(CVSS scores: 10.0) -
organisation
Anirudh Anand
Security researchers Anirudh Anand, Matan Sandori, and 2Bsecure have been credited with discovering and reporting CVE-2026-48283, CVE-2026-48313, and CVE-2026-48307.
organisation
Matan Sandori
Security researchers Anirudh Anand, Matan Sandori, and 2Bsecure have been credited with discovering and reporting CVE-2026-48283, CVE-2026-48313, and CVE-2026-48307.
organisation
CVE-2026-48282
Unrestricted upload of file with dangerous type vulnerabilities that could lead to arbitrary code execution
CVE-2026-48277, CVE-2026-48281, CVE-2026-48316
(CVSS scores: 10.0) - Improper input validation vulnerabilities that could lead to arbitrary code execution
CVE-2026-48282
(CVSS score: 10.0) -
organisation
CVE-2026
A path traversal vulnerability that could lead to arbitrary code execution
CVE-2026-48313
(CVSS score: 9.3) - A path traversal vulnerability that could lead to arbitrary file system read
CVE-2026-48315
(CVSs score: 9.3) -
organisation
Adobe Campaign
Adobe noted that CVE-2026-48286 only impacts on-premise Adobe Campaign instances, including fully on-premise deployments and on-premise components in hybrid deployments.
2026/07/01
Adobe released security patches for multiple maximum-severity vulnerabilities in Adobe ColdFusion and Adobe Campaign Classic.
Click on any entity below to view its context and source!
organisation
Adobe
Adobe has released security patches for seven maximum-severity vulnerabilities in the ColdFusion web app development platform and the Campaign Classic marketing automation platform.
organisation
ColdFusion
Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic.
Adobe patches seven max severity ColdFusion, Campaign flaws.
infrastructure
7.4.3
The
Campaign Classic
max severity vulnerability (tracked as CVE-2026-48286) affects versions 7.4.3 build 9396 and earlier and could lead to arbitrary code execution in the current user's context after successful exploitation.
infrastructure
2025.9
Six of these critical security flaws (tracked as CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, and CVE-2026-48282) affect
ColdFusion versions 2025.9, 2023.20 and earlier
, and can be exploited by attackers without privileges to gain remote code execution on unpatched systems.
infrastructure
2023.20
Six of these critical security flaws (tracked as CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, and CVE-2026-48282) affect
ColdFusion versions 2025.9, 2023.20 and earlier
, and can be exploited by attackers without privileges to gain remote code execution on unpatched systems.
organisation
CVE-2026
According to Adobe's security advisory, CVE-2026-48286 only affects on-premises Adobe Campaign instances (including fully on-premises deployments and on-premises components in hybrid deployments), as the flaw has already been patched on Adobe-hosted instances.
organisation
Adobe Campaign
According to Adobe's security advisory, CVE-2026-48286 only affects on-premises Adobe Campaign instances (including fully on-premises deployments and on-premises components in hybrid deployments), as the flaw has already been patched on Adobe-hosted instances.
organisation
CSO
Aanchal Gupta, Adobe's Chief Security Officer (CSO), also announced on Thursday that the company will switch to twice-monthly security bulletins to deploy security updates faster.
organisation
EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
July 14, 2026
Threat actors used Adobe's AI-powered vulnerability discovery tools to identify and exploit previously unknown flaws in ColdFusion and Campaign Classic.
Click on any entity below to view its context and source!
organisation
Adobe Security Bulletins
"Effective July 14, 2026, Adobe is moving from monthly to twice-monthly publication of Adobe Security Bulletins and Advisories on the second and fourth Tuesday of each month,"
Gupta said
.
organisation
Adobe's
"The frontier AI capabilities we are using are also available to attackers, and the window between public vulnerability disclosure and active exploitation is compressing from days to hours," Adobe's Chief Security Officer Aanchal Gupta
said
.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
Separately, Adobe has also
shipped
fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution.
Metrics
infrastructure
Linux
Affected Product
Separately, Adobe has also
shipped
fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution.
Metrics
infrastructure
7.4.3
Software Version
Separately, Adobe has also
shipped
fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution.
It has been patched in version ACC v7: 7.4.3 build 9397.
The
Campaign Classic
max severity vulnerability (tracked as CVE-2026-48286) affects versions 7.4.3 build 9396 and earlier and could lead to arbitrary code execution in the current user's context after successful exploitation.
Metrics
infrastructure
2025.9
Software Version
Six of these critical security flaws (tracked as CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, and CVE-2026-48282) affect
ColdFusion versions 2025.9, 2023.20 and earlier
, and can be exploited by attackers without privileges to gain remote code execution on unpatched systems.
Metrics
infrastructure
2023.20
Software Version
Six of these critical security flaws (tracked as CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, and CVE-2026-48282) affect
ColdFusion versions 2025.9, 2023.20 and earlier
, and can be exploited by attackers without privileges to gain remote code execution on unpatched systems.
Intelligence Sources
BleepingComputer
2026-07-01
Adobe patches seven max severity ColdFusion, Campaign flaws
BleepingComputer
The Hacker News
2026-07-01
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-07-02T06:31
Comprehensive Tactical Telemetry
Highly Correlated Entities
14x
organisation
Identified Entity
Adobe
entity
11x
vulnerability
Exploited CVE
CVE-2026-48276
cve
3x
tactic
Cyber Operation Type
Privilege Escalation
tactic
3x
general metric
Update
21
update
3x
timeline
Temporal Reference
Jul 01, 2026
date
3x
attribution
Attributing Entity
Adobe ColdFusion
authority
3x
infrastructure
Software Version
7.4.3
version
2x
infrastructure
Affected Product
Windows
software
2x
general metric
%
54
%
Contextual Telemetry
Context Block
10 METRICS
general metric
Coldfusion
2,023
coldfusion
vulnerability
CVSS Score
10
score
campaign
Campaign
Campaign Classic
operation
general metric
Flaws
7
flaws
tactic
MITRE ATT&CK Technique
T1588.007 - Artificial Intelligence
technique
general metric
Jul
1
jul
general metric
Path Traversal Vulnerability
9
path traversal vulnerability
general metric
Security Flaws
79
security flaws
general metric
Coldfusion Versions
2,026
coldfusion versions
general metric
Hours
72
hours
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.