Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Published: 2026-04-14
Score: 9.6 Critical
EPSS: 3.7% Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

Adobe Connect versions 2025.3, 12.10 and earlier contain a flaw that allows deserialization of untrusted data, which can lead to arbitrary code execution in the current user's session. This weakness is classified as CWE-502 and is noteworthy because exploitation requires the victim to visit a maliciously crafted URL or interact with a compromised web page. The vulnerability also changes the scope, meaning that the impact may extend beyond the initiating user to higher privilege levels or broader system components.

Affected Systems

The affected product is Adobe Connect, specifically installations running version 2025.3, 12.10 or earlier. Administrators should inventory their deployments to determine if they are on a vulnerable version and plan remediation accordingly.

Risk and Exploitability

The flaw carries a CVSS score of 9.6, marking it critical. EPSS score is 4%, and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack path involves an attacker directing a victim to a maliciously crafted URL or compromised web page, which then initiates the deserialization process; since user interaction is required, exploitation is not purely remote and depends on the victim engaging with the crafted content. Given the high severity and the 4% EPSS score, the overall risk remains significant, especially in environments where users may inadvertently visit compromised sites.

Generated by OpenCVE AI on April 28, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Adobe patch to Adobe Connect.
  • If a patch is not yet available, restrict external network access to the affected deserialization endpoints.
  • Enable detailed logging for deserialization activity and review logs regularly for anomalies.
  • Restrict the use of privileged accounts on the Adobe Connect server to reduce potential impact.

Generated by OpenCVE AI on April 28, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Wed, 22 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:connect:*:*:*:*:*:-:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:macos:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:windows:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title Adobe Connect | Deserialization of Untrusted Data (CWE-502)
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Adobe Connect Connect Connect Desktop Application
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-28T02:24:34.780Z

Reserved: 2026-02-18T22:02:41.399Z

Link: CVE-2026-27303

cve-icon Vulnrichment

Updated: 2026-04-14T18:22:25.367Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:16:56.633

Modified: 2026-04-28T15:40:06.993

Link: CVE-2026-27303

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:30:35Z

Weaknesses