Multiple Critical Vulnerabilities in Adobe Campaign Classic & ColdFusion Enable Arbitrary Code Execution (CVE‑2026‑48286 et al.)
What Happened — CIS has identified a set of newly disclosed CVEs affecting Adobe Campaign Classic ACC v7 (≤ 7.4.3 build 9396) and Adobe ColdFusion (2025 Update 9 and earlier; 2023 Update 20 and earlier). The most severe flaws allow an attacker to execute arbitrary code in the context of the logged‑on user, potentially installing programs, modifying data, or creating privileged accounts.
Why It Matters for Compliance & Audit Readiness
- These flaws expose gaps in your patch‑management and change‑control processes, which are core SOC 2 CC6.1 (System Operations) and CC7.1 (Change Management) controls.
- Demonstrating continuous evidence that vulnerable versions are identified, remediated, and that compensating controls (least‑privilege, segmentation) are in place is essential for a defensible audit trail.
- Verisq’s Control‑Mapping capability can automatically map each CVE to the relevant SOC 2 control, collect remediation evidence, and feed it into your Trust Center for audit reviewers.
Who Is Affected — Enterprises that run Adobe Campaign Classic for marketing automation, and organizations that host web applications on Adobe ColdFusion (e.g., tech‑SaaS providers, digital agencies, government portals).
Recommended Actions
- Inventory all Adobe Campaign Classic and ColdFusion instances; verify version numbers against the advisory.
- Prioritize patching of the listed CVEs; if patches are unavailable, apply vendor‑recommended mitigations (e.g., restrict user privileges, network segmentation).
- Update your SOC 2 control evidence to include vulnerability‑scan results, patch‑deployment tickets, and configuration hardening documentation.
- Enable continuous monitoring of third‑party software inventories to surface future exposures early.
Source: CIS Advisory 2026‑066
Technical Notes
- Attack vector: Exploitation of multiple CVEs (e.g., CVE‑2026‑48286 – Incorrect Authorization; CVE‑2026‑48276/‑48283 – Unrestricted File Upload; CVE‑2026‑48277/‑48281 – Improper Input Validation; CVE‑2026‑48282 – Path Traversal; CVE‑2026‑48307 – Reflected XSS; CVE‑2026‑48285 – SSRF).
- Potential impact: Remote code execution, privilege escalation, data manipulation, creation of new admin accounts.
- Current exploitation: No public reports of active exploitation.