A critical authorization vulnerability in Adobe Campaign Classic allows for unauthenticated remote code execution, posing an immediate threat to organizational infrastructure.

This vulnerability involves an Incorrect Authorization flaw that permits an unauthenticated attacker to execute arbitrary code. The issue is exacerbated by the availability of public technical details regarding HTTP/2 bomb exploits, which can be weaponized by automated systems.

With a CVSS score of 10.0, this vulnerability represents the highest level of risk. Successful exploitation grants an attacker full control over the affected system, potentially leading to total data compromise, lateral movement within the network, and significant operational downtime. The lack of required user interaction makes this an exceptionally dangerous vector for automated exploitation.

Immediate Action: Update Adobe Campaign Classic to the latest version immediately to patch the authorization logic.

Proactive Monitoring: Monitor network traffic for anomalous HTTP/2 request patterns and unusual child processes spawned by the Campaign Classic service.

Compensating Controls: Deploy a Web Application Firewall (WAF) configured to inspect and block malformed or oversized HTTP/2 requests that match identified exploit signatures.

Public Exploit Available: True

Given the critical CVSS severity and the availability of public exploit information, immediate patching is non-negotiable. Administrators should prioritize updating their Adobe Campaign Classic environments and review system logs for signs of unauthorized access attempts originating from external sources.