CVE-2026-48286

Adobe · Adobe Campaign Classic (ACC)

Adobe Campaign Classic contains an authorization flaw that allows unauthenticated remote attackers to execute arbitrary code.

Executive summary

An incorrect authorization vulnerability in Adobe Campaign Classic permits unauthenticated remote attackers to execute arbitrary code, creating a severe risk of total system compromise.

Vulnerability

This vulnerability is categorized as an Incorrect Authorization flaw where the application fails to properly validate permissions, allowing unauthenticated attackers to perform unauthorized actions. The issue results in arbitrary code execution without the need for user interaction.

Business impact

With a CVSS score of 10.0, this vulnerability poses an extreme risk to the business. Exploitation could lead to full administrative control over the Adobe Campaign Classic platform, potentially resulting in the exfiltration of sensitive marketing data, unauthorized modifications to customer communications, and total system takeover.

Remediation

Immediate Action: Update Adobe Campaign Classic to the version specified in the latest vendor security advisory to rectify the authorization controls.

Proactive Monitoring: Monitor system logs for unauthorized configuration changes, anomalous administrative activity, or unexpected execution of processes originating from the application service.

Compensating Controls: Restrict network access to the Adobe Campaign Classic management interfaces using VPNs or IP whitelisting to minimize the attack surface until patches are applied.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability represents a critical security gap that requires urgent remediation. System administrators must verify the current version of their ACC deployment and apply the necessary security updates immediately to mitigate the risk of unauthorized remote exploitation.