Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Published: 2026-04-14
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Connect versions 2025.3, 12.10 and earlier contain a deserialization flaw that allows arbitrary code execution when untrusted data is processed. The flaw is classified as CWE‑502 and is significant because an attacker can leverage it to run code with the privileges of the current user. The description notes that the flaw changes the scope, which means that code execution can potentially affect higher-privileged components or system-level resources beyond the single user.

Affected Systems

The affected product is Adobe Connect, version 2025.3, 12.10, and all earlier releases. Administrators should verify that they are not running these versions and plan remediation accordingly.

Risk and Exploitability

The CVSS score of 9.6 identifies the vulnerability as critical. The EPSS score is less than 1 percent, indicating a low but non‑zero probability of exploitation, and the flaw is not yet listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote but requires user interaction in that an attacker sends a malicious URL or composes a compromised web page that the victim visits, from which the deserialization occurs. Although the vulnerability is high‑severity, the low EPSS indicates that real‑world exploitation is currently rare, but the scope change expands potential impact across the system.

Generated by OpenCVE AI on June 18, 2026 at 09:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Adobe patch for Adobe Connect 2025.3 and earlier versions to eliminate the deserialization flaw.
  • If an immediate patch is unavailable, isolate the affected servers from external traffic or block access to the deserialization endpoints by configuring firewall rules.
  • Enable a web application firewall or equivalent to filter malicious payloads targeting deserialization and alert on suspicious activity.
  • Audit user permissions on Adobe Connect servers to ensure the principle of least privilege, limiting the damage from successful exploitation.

Generated by OpenCVE AI on June 18, 2026 at 09:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Wed, 22 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:connect:*:*:*:*:*:-:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:macos:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:windows:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title Adobe Connect | Deserialization of Untrusted Data (CWE-502)
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Adobe Connect Connect Connect Desktop Application
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-28T02:24:34.780Z

Reserved: 2026-02-18T22:02:41.399Z

Link: CVE-2026-27303

cve-icon Vulnrichment

Updated: 2026-04-14T18:22:25.367Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:16:56.633

Modified: 2026-06-17T10:27:00.370

Link: CVE-2026-27303

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T09:15:16Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data