Seven vulnerabilities with the maximum possible CVSS score of 10.0, patched in a single update cycle, across two products that sit on opposite ends of a typical enterprise stack. Adobe’s July advisory fixes 11 flaws total across ColdFusion 2025, ColdFusion 2023, and Campaign Classic 7.4.3, and assigned both updates its Priority 1 rating, the classification Adobe reserves for vulnerabilities it expects to be exploited in the wild in short order, whether or not a public proof of concept exists yet.
Two products, one shared failure mode
The six maximum-severity ColdFusion flaws, CVE-2026-48276, -48277, -48281, -48316, -48282, and -48283, span improper authorization, path traversal, and unsafe file upload handling, the kind of input validation gaps that let an attacker walk past access controls entirely and write arbitrary files to a server they were never meant to reach. Campaign Classic’s single CVSS 10.0 flaw, CVE-2026-48286, is an incorrect authorization bug with the same practical outcome: arbitrary code execution on an affected system. Different products, same underlying story, missing checks that were supposed to stand between an unauthenticated request and full server compromise.
Why ColdFusion earns extra scrutiny every time
ColdFusion has a long, well-documented history of being reverse-engineered from patch diffs within days of release, turning a fixed vulnerability into a working exploit against everyone who has not yet updated. It also has a long history of running unnoticed in production, powering legacy web applications that predate current change-management processes and that nobody on the current team fully owns. Campaign Classic compounds the exposure for a specific reason: it is Adobe’s enterprise marketing and email campaign platform, meaning a compromise here does not just expose application data, it can hand an attacker the infrastructure and sender reputation needed to launch convincing phishing campaigns from a trusted, authenticated source.
Patch now, audit the platform’s future while you are at it
Fixes are available in ColdFusion 2025 Update 10, ColdFusion 2023 Update 21, and Campaign Classic ACC v7.4.3 build 9397. Adobe says it has no evidence of active exploitation yet, but a Priority 1 rating on seven CVSS 10.0 flaws is not a maintenance-window item, it is a same-week action. Organisations that have patched ColdFusion or Campaign Classic vulnerabilities on a similar emergency basis before should treat the recurrence as data, not bad luck, and use this cycle to seriously evaluate whether these legacy platforms still belong in a modern, defensible stack.
What we recommend
- Inventory every ColdFusion and Campaign Classic instance across your estate, including systems maintained by agencies or contractors that may not appear in central IT records
- Apply the fixed builds immediately: ColdFusion 2025 Update 10, ColdFusion 2023 Update 21, and Campaign Classic v7.4.3 build 9397
- Restrict administrative and file upload interfaces to trusted networks as an interim control anywhere immediate patching is not possible
- Review server and email gateway logs for unusual file writes or outbound campaign activity, given Priority 1 flaws are routinely weaponised within days of disclosure
- Use this patch cycle to assess whether a platform migration, rather than another emergency patch, is the better long-term investment
If your organisation runs ColdFusion or Campaign Classic and needs help patching quickly, auditing exposure, or planning a migration away from infrastructure that keeps generating maximum-severity emergencies, contact Excello Digital. We help European teams turn recurring fire drills into a platform strategy that holds up.
