Adobe ColdFusion & Campaign Classic Priority 1 Patches for 12 Vulnerabilities Including Six Maximum-Severity RCE Flaws (APSB26-68, APSB26-69) — Threadlinqs Intelligence
Threat ID: TL-2026-1091 · Severity: CRITICAL · CVSS: 10 · Status: PATCHED · Category: VULNERABILITY
Adobe published Priority 1 security bulletins APSB26-68 (ColdFusion 2025/2023) and APSB26-69 (Campaign Classic v7) addressing 12 CVEs, seven of which carry the maximum CVSS score of 10.0 and enable
On 2026-06-30/07-01 Adobe released two coordinated Priority 1 security bulletins covering its ColdFusion application server and Campaign Classic marketing-automation platform. APSB26-68 addresses 11 CVEs in ColdFusion 2025 (Update 9 and earlier) and ColdFusion 2023 (Update 20 and earlier), fixed in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21 respectively. Six of these reach the maximum CVSS score of 10.0: two unrestricted file upload flaws (CVE-2026-48276, CVE-2026-48283, CWE-434) that let an unauthenticated attacker drop and execute arbitrary files on the server; three improper input validation flaws (CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CWE-20) that achieve code execution via malformed requests; and one path traversal flaw (CVE-2026-48282, CWE-22) enabling arbitrary code execution. Additional high-severity issues in the same bulletin include a path traversal arbitrary file-read flaw (CVE-2026-48313, CVSS 9.3, CWE-22), a privilege escalation flaw (CVE-2026-48315, CVSS 9.3, CWE-20/CWE-269 class), a reflected XSS (CVE-2026-48307, CVSS 8.8, CWE-79), a server-side request forgery enabling security-feature bypass (CVE-2026-48285, CVSS 8.6, CWE-918), and a lower-severity path traversal privilege escalation (CVE-2026-48314, CVSS 6.5, CWE-22). All ColdFusion flaws require no special privileges or user interaction and are network-exploitable (AV:N). APSB26-69 addresses a single but maximum-severity flaw in Adobe Campaign Classic (ACC) v7: CVE-2026-48286 (CVSS 10.0), an incorrect authorization vulnerability (CWE-863) with remote code execution impact, exploitable over the network with no authentication and no user interaction. It affects ACC v7 7.4.3 build 9396 and earlier, fixed in build 9397, and applies only to on-premise and hybrid on-premise deployments — Adobe-hosted Campaign instances were already remediated server-side and require no customer action. Adobe explicitly states it is not aware of active exploitation of any of the 12 vulnerabilities at time of disclosure and has not observed public proof-of-concept code. Both products carry a documented history of exploitation: ColdFusion vulnerabilities (CVE-2023-29298, CVE-2023-29300, CVE-2023-38203, CVE-2023-26360) were exploited in the wild in 2023, including a confirmed intrusion at a U.S. federal civilian executive branch agency (CISA advisory AA23-339A) and deployment of the Behinder web shell via a deserialization flaw, underscoring that ColdFusion is a recurring target for opportunistic and targeted actors once technical details or working exploits surface. Given the Priority 1 rating, unauthenticated network attack vector, and this exploitation history, defenders should treat the 72-hour remediation window as a hard deadline and monitor for exploitation attempts even in the absence of current in-the-wild reports.
Weaknesses (CWE)
CWE-434, CWE-20, CWE-22, CWE-79, CWE-918, CWE-863
Target sectors: government administration, finance, health, technology, retail, news - media, marketing
Target regions: North America, Europe, Global
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 17 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
VULNERABILITY, CRITICAL, threat intelligence, cybersecurity, CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, CVE-2026-48283, CVE-2026-48313, CVE-2026-48315, CVE-2026-48307, CVE-2026-48285, T1595, T1587, T1190, T1059, T1505, T1068, T1140, T1036, T1552, T1083