Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Published: 2026-04-14
Score: 9.3 Critical
EPSS: 1.4% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Adobe Connect versions up to 2025.3 and 12.10 contain a deserialization flaw that allows a crafted payload to be executed in the context of the current user, enabling remote code execution without requiring user interaction. The vulnerability falls under CWE‑502, a known weakness for processing untrusted serialized data. An attacker who succeeds can run arbitrary code with the privileges of the current user, potentially compromising configuration, data, and any connected clients.

Affected Systems

Adobe Connect from Adobe; versions 2025.3, 12.10 and all earlier releases are affected. Any installation of these versions—whether on a server or a client—is vulnerable.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, while the EPSS score of 0.0144 indicates a very low but nonzero exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Exploitation does not require user interaction, implying that a remote attacker can trigger the flaw through a crafted request to the Connect server, with scope expanded to affect the entire system.

Generated by OpenCVE AI on April 15, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Adobe Connect security update released by Adobe (APSb26-37).
  • If a patch cannot be applied immediately, restrict external access to the Connect server or block the services that accept serialized input.
  • Disable or limit the deserialization endpoint to prevent unauthorized payloads until the patch is applied.

Generated by OpenCVE AI on April 15, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Wed, 15 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title Adobe Connect | Deserialization of Untrusted Data (CWE-502)
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Connect
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-15T09:35:52.515Z

Reserved: 2026-03-30T17:30:36.489Z

Link: CVE-2026-34615

cve-icon Vulnrichment

Updated: 2026-04-14T18:30:34.576Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:17:36.373

Modified: 2026-04-15T16:14:07.857

Link: CVE-2026-34615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:45:07Z

Weaknesses