A Patch Load That Reads Like a Warning
Adobe opened July with a security release that no enterprise running ColdFusion can afford to file under routine. On July 1, the company shipped fixes for seven vulnerabilities carrying the maximum CVSS score of 10.0, spread across ColdFusion 2023, ColdFusion 2025, and Campaign Classic. Six of the ColdFusion flaws lead to arbitrary code execution, and Adobe was explicit that they can be triggered in low-complexity attacks that require no privileges and no user interaction. That combination, network-reachable, unauthenticated, and trivial to weaponize, is the profile that turns a patch note into an incident-response exercise for anyone who waits.
What makes this release notable is not the raw count but the concentration of perfect-storm ratings. A CVSS 10.0 is rare because it demands the worst answer on every metric at once. Getting six of them in a single product line, alongside a seventh in a separate marketing platform, tells you Adobe's own reviewers and outside researchers found deep, structural problems in how these applications handle untrusted input. For CISOs, the takeaway is uncomfortable but simple: the vendor is telling you, through its scoring, that these are the flaws attackers will reach for first.
What Actually Broke in ColdFusion
The ColdFusion vulnerabilities fall into three familiar but dangerous buckets. CVE-2026-48276 and CVE-2026-48283 are unrestricted file upload flaws, the classic path to a web shell, where an attacker plants executable content the server later runs. CVE-2026-48277, CVE-2026-48281, and CVE-2026-48316 are improper input validation issues, and CVE-2026-48282 is a path traversal bug, each rated 10.0 and each ending in arbitrary code execution. Two further critical flaws, CVE-2026-48313 and CVE-2026-48315 at CVSS 9.3, allow arbitrary file system reads and privilege escalation. Adobe credited researchers including Anirudh Anand, Matan Sandori, and the firm 2Bsecure for the reports.
The fixes ship in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21, and older builds down to 2025.9 and 2023.20 are exposed. History is the reason to move fast here. ColdFusion has been a repeat target for mass exploitation after disclosure, with prior years seeing internet-facing servers compromised within days of a patch dropping. The technology tends to sit at the edge of the network, fronting content and applications, which means an unpatched box is often directly reachable and directly valuable. If you run ColdFusion anywhere with inbound access, treat these servers as the top of your remediation queue, not the middle.
The Campaign Classic Authorization Flaw
The seventh maximum-severity issue lives in Adobe Campaign Classic, the on-premises marketing automation platform. Tracked as CVE-2026-48286 and rated CVSS 10.0, it is an incorrect authorization weakness that can allow an attacker to execute arbitrary code in the context of the current user. Adobe fixed it in Campaign Classic v7, build 9397, and confirmed that only on-premises deployments are affected because Adobe-hosted instances were updated before the public advisory. That distinction matters: the organizations still exposed are precisely the ones running their own infrastructure, often with customer contact data sitting inside the platform.
Campaign Classic is easy to overlook in a security program because it is owned by marketing, not IT, and it rarely shows up on a vulnerability team's radar until something goes wrong. That is the gap attackers count on. A code-execution flaw in a system that holds subscriber lists, email templates, and campaign logic is a direct line to both data theft and outbound abuse, where a compromised platform becomes a trusted channel for phishing. We would push CISOs to inventory their marketing stack the same way they inventory their perimeter, because an unmanaged Campaign Classic node is now a 10.0 waiting to be found.
Priority 1 Is Not a Suggestion
Adobe assigned both the ColdFusion and Campaign Classic bulletins a Priority 1 rating, its highest, and told customers to install the updates within 72 hours. In Adobe's own language, the advisory covers vulnerabilities that are being targeted, or which carry a higher risk of being targeted, by exploits. The company said it is not aware of any public exploitation yet, but the Priority 1 label exists precisely to flag the flaws Adobe believes will not stay quiet. Reading that rating as a hard deadline rather than guidance is the correct posture.
An Adobe security executive framed the urgency bluntly, warning that the window between public vulnerability disclosure and active exploitation is compressing from days to hours. That is not marketing language, it is an accurate description of how the current threat economy works. Automated scanning, commodity exploit kits, and access brokers have collapsed the gap between a CVE going public and opportunistic attacks hitting exposed hosts. For a product family with ColdFusion's track record, the safe assumption is that reverse engineering of the patch is already underway and that proof-of-concept code will circulate long before the 72-hour window most defenders actually operate on.
Adobe Moves to Twice-Monthly Bulletins
Buried in the same release is a structural change that says as much as any single CVE. Starting July 14, Adobe is shifting to twice-monthly security bulletins, published on the second and fourth Tuesdays, while keeping the option of out-of-band releases for zero-days under active attack. A vendor does not double its patch cadence for cosmetic reasons. It does so because the volume and velocity of serious findings have outgrown a monthly rhythm, and because shortening the interval between fixes reduces the time customers spend exposed to a known but unpatched flaw.
For enterprise patch teams, the cadence change is a planning event, not a footnote. A monthly cycle lets organizations batch testing and deployment into a predictable window. Two cycles a month means twice the regression testing, twice the change-management overhead, and twice the chances to fall behind. The teams that will handle this well are the ones that already treat Adobe patching as a standing operational process rather than a periodic scramble. The rest should use this July release as the forcing function to build that muscle, because the pace Adobe is signaling is not going to slow down.
What CISOs Should Do This Week
The immediate actions are unglamorous and non-negotiable. Inventory every ColdFusion and Campaign Classic instance, including the ones running quietly under a business unit's control, and apply ColdFusion 2025 Update 10, ColdFusion 2023 Update 21, or Campaign Classic build 9397 without waiting for the next maintenance window. Where a server cannot be patched immediately, pull it off the public internet or put it behind strict access controls, because an exposed, unauthenticated code-execution flaw is the single easiest thing for an opportunistic attacker to find and use. Adobe's 72-hour recommendation should be read as the outer limit, not the target.
Beyond the emergency, this release is a prompt to revisit assumptions about which systems belong in the critical tier. ColdFusion and marketing automation platforms rarely get the scrutiny reserved for domain controllers or VPN gateways, yet both just produced 10.0 remote code execution flaws. We would use the moment to close the visibility gap between security and the teams that run these applications, and to pressure-test whether the organization can actually meet a 72-hour patch deadline when the next Priority 1 lands. Given Adobe's new cadence, that next deadline is at most two weeks away.



