External risk intelligence

Adobe Campaign Classic Arbitrary Code Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-48286

Adobe Campaign Classic is an enterprise marketing automation platform designed to manage and deliver public-facing campaigns, web forms, and email communications. Due to its role as a customer-facing engagement engine, it is commonly deployed with internet-accessible components to interact with external users, making it a likely candidate for public network exposure.

Adobe Campaign

7.4.3 and earlier

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

Adobe Campaign Classic, a marketing automation platform, has a critical vulnerability that could allow unauthorized code execution without user interaction. This issue affects versions prior to 7.4.3 build 9396. Given its role in customer-facing communications, this vulnerability could present a significant risk if exploited.

  • Flaw allows unauthorized code execution.
  • Affects marketing platform with external exposure.
  • Confirm relevance and assess exposure risk.

Attack Path

How an attacker could exploit the issue

An attacker could leverage an external network path to reach Adobe Campaign Classic and trigger an incorrect authorization flaw. This vulnerability, once exploited, allows an attacker to execute arbitrary code with the privileges of the currently logged-in user, and it does not require any interaction from the user.

  • Network access is required.
  • Vulnerable authorization check.
  • Arbitrary code execution possible.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Adobe Campaign Classic could allow an unauthenticated attacker to execute arbitrary code on the affected system. The attacker could potentially gain control of the application's processes, impacting its ability to manage and deliver marketing campaigns, and potentially leading to unauthorized access or modification of campaign-related data.

  • System data and service behavior at risk.
  • Arbitrary code execution without user interaction.
  • Compromised campaign management and delivery.

Operational Fix

Recommended remediation, mitigation, and detection steps

For Adobe Campaign Classic (ACC), the platform or application owner is primarily responsible for managing this vulnerability, in coordination with infrastructure and security teams. The first practical step is to identify all ACC instances, determine their exposure to the network, and assess their business criticality to prioritize remediation efforts.

  • Platform/Application owners should take the lead.
  • Verify ACC instance network exposure and criticality.
  • Plan remediation based on assessed risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Adobe Campaign Classic?

Adobe Campaign Classic is an enterprise marketing automation platform. Organizations use it to coordinate multi-channel customer communications, manage web forms, and execute email campaigns. It functions as a central engagement engine for interacting with audiences, which often requires the software to maintain components accessible to external networks to process incoming data and deliver marketing content.

What does Incorrect Authorization mean for CVE-2026-48286?

This weakness, categorized as CWE-863, means the application fails to properly verify if a user is permitted to perform a specific action. In the context of this CVE, the vulnerability allows an attacker to bypass authorization checks entirely. Instead of being restricted to their intended access level, an attacker can execute arbitrary code with the same privileges as the currently logged-in user.

How is this Adobe Campaign Classic vulnerability triggered?

An attacker triggers this flaw by sending specifically crafted requests over a network. Because the vulnerability involves an authorization failure rather than a logical interaction, it does not require a legitimate user to click a link or provide input. Note that simply having the software installed in a private, isolated environment without any network connectivity to an attacker significantly changes the risk profile.

Is my Adobe Campaign Classic instance at risk?

If your instance is reachable from the internet, the risk is higher. According to Halo Surface Signal, Adobe Campaign Classic is commonly deployed with internet-accessible components to handle public-facing campaigns and forms. This design intent often places the software on the network perimeter, potentially exposing it to unauthorized, remote access attempts from outside your organization's internal controls.

What should I do first to address this threat?

Start by identifying all deployed instances of Adobe Campaign Classic within your environment. Once you have a complete inventory, determine which instances are accessible via the network and assess their business criticality. Use this information to prioritize which systems require immediate attention and coordinate with your internal security and infrastructure teams to apply the necessary updates provided by Adobe.

References