Adobe Patches Seven Critical CVSS 10.0 Flaws in ColdFusion and Campaign Classic
What Happened — Adobe released security updates for ColdFusion 2023 Update 21, ColdFusion 2025 Update 10, and Campaign Classic 7.4.3 build 9397, fixing seven maximum‑severity (CVSS 10.0) and two high‑severity (CVSS 9.3) vulnerabilities. The flaws allow remote code execution, privilege escalation, arbitrary file reads, and path‑traversal attacks. No active exploitation has been observed.
Why It Matters for Compliance & Audit Readiness
- Unpatched RCE flaws directly violate SOC 2 CC6 (System Operations) and CC7 (Change Management) requirements for timely patch management and vulnerability remediation.
- Demonstrating continuous evidence that critical patches are applied is essential for a defensible audit trail and for satisfying the “risk mitigation” component of the SOC 2 Trust Services Criteria.
- Verisq’s Control Mapping capability can automatically map patch‑management controls to SOC 2 criteria and collect immutable evidence for auditors.
Who Is Affected
- Enterprises running on‑premises Adobe ColdFusion or Campaign Classic (e.g., financial services, healthcare, media, and technology firms).
Recommended Actions
- Verify your ColdFusion/Campaign Classic version against the advisory and apply the latest updates immediately.
- Update your patch‑management policy to include a 48‑hour SLA for critical CVSS 10.0 fixes.
- Map the applied patches to SOC 2 CC6/CC7 controls in your continuous‑compliance platform and archive the update logs as audit evidence.
Technical Notes
- Vulnerabilities: CVE‑2026‑48276, CVE‑2026‑48277, CVE‑2026‑48281, CVE‑2026‑48282, CVE‑2026‑48283, CVE‑2026‑48284, CVE‑2026‑48286 (all CVSS 10.0) and CVE‑2026‑48313, CVE‑2026‑48315 (CVSS 9.3).
- Attack vectors: arbitrary file upload, input validation bypass, path traversal, and authorization weakness.
- Impact: remote code execution, privilege escalation, sensitive file disclosure.
Source: SecurityAffairs