Adobe Patches Critical ColdFusion and Campaign Classic Flaws, Citing AI-Accelerated Vulnerability Discovery
Adobe has released urgent security patches for multiple maximum-severity vulnerabilities in **Adobe ColdFusion** and **Adobe Campaign Classic**. These updates address critical flaws that could lead to arbitrary code execution, privilege escalation, and arbitrary file system reads, underscoring a growing urgency in vulnerability management driven by AI's impact on discovery.
Adobe has issued critical security updates to address severe vulnerabilities impacting **Adobe ColdFusion** and **Adobe Campaign Classic**. These patches are crucial for IT security professionals and users to implement promptly.
### Critical Flaws in Adobe ColdFusion
The **ColdFusion** updates are designed to resolve critical and important vulnerabilities that could enable arbitrary code execution, privilege escalation, arbitrary file system reads, and security feature bypasses. Adobe detailed these issues in a recent security alert.
The vulnerabilities include:
* **CVE-2026-48276**, **CVE-2026-48283** (CVSS: 10.0) - Unrestricted upload of files with dangerous types, leading to arbitrary code execution.
* **CVE-2026-48277**, **CVE-2026-48281**, **CVE-2026-48316** (CVSS: 10.0) - Improper input validation, leading to arbitrary code execution.
* **CVE-2026-48282** (CVSS: 10.0) - A path traversal vulnerability, leading to arbitrary code execution.
* **CVE-2026-48313** (CVSS: 9.3) - A path traversal vulnerability, leading to arbitrary file system read.
* **CVE-2026-48315** (CVSS: 9.3) - An improper input validation vulnerability, leading to privilege escalation.
These issues have been addressed in **ColdFusion 2023 Update 21** and **ColdFusion 2025 Update 10**. Security researchers **Anirudh Anand**, **Matan Sandori**, and **2Bsecure** were credited with reporting several of these vulnerabilities.
### Adobe Campaign Classic Vulnerability
Separately, Adobe has also deployed fixes for a critical flaw in **Adobe Campaign Classic**, specifically impacting versions **ACC v7: 7.4.3 build 9396** and earlier for Windows and Linux. This vulnerability could also lead to arbitrary code execution.
The flaw, tracked as **CVE-2026-48286** (CVSS: 10.0), is an incorrect authorization issue that could allow an attacker to execute arbitrary code on affected systems. It has been patched in version **ACC v7: 7.4.3 build 9397**.
Adobe clarified that **CVE-2026-48286** exclusively affects on-premise **Adobe Campaign** instances, including fully on-premise deployments and on-premise components in hybrid setups. Adobe-hosted instances have already been updated and require no user action.
The company emphasized that no in-the-wild exploits have been observed for any of the addressed issues at the time of disclosure.
### AI-Accelerated Vulnerability Discovery Drives Faster Patch Cycles
This release coincides with Adobe's announcement of transitioning from monthly to twice-monthly security bulletin publications, effective July 14, 2026. This change is a direct response to the accelerated pace of vulnerability discovery, significantly influenced by artificial intelligence (AI) models.
**Aanchal Gupta**, Adobe's Chief Security Officer, stated, "The frontier AI capabilities we are using are also available to attackers, and the window between public vulnerability disclosure and active exploitation is compressing from days to hours. We are applying AI to find and fix vulnerabilities first, and getting those fixes to customers faster is the natural next step."
### Deeper Dive into the ColdFusion Patches
In a follow-up analysis, **watchTowr Labs** characterized **CVE-2026-48282** as an arbitrary file write vulnerability and **CVE-2026-48313** as an arbitrary file read instance. The same fixes also implicitly resolved other issues, including arbitrary file move, file delete, directory creation, and directory listing functionalities.
The patch for **CVE-2026-48276**, a file upload path traversal flaw, introduces new disallowed file extensions such as `.jspf`, `.cfmail`, and `.war`. Security researcher **Sina Kheirkhah** noted that it also adds a new `<cfscript>` block to prevent path traversal during file uploads.
It's important to note that the vulnerable functionality for file uploads in **ColdFusion** is disabled by default. However, if explicitly enabled, the upload endpoint appears to be reachable without authentication. Exploiting the vulnerability then becomes as straightforward as sending a file upload request with a path traversal payload in the path parameter, resulting in the file being written to disk with `NT AUTHORITY\SYSTEM` privileges.