Description
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Published: 2026-04-14
Score: 9.3 Critical
EPSS: 3.6% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Adobe Connect versions up to 2025.3 and 12.10 contain a deserialization flaw that allows a crafted payload to be executed in the context of the current user, enabling remote code execution. The vulnerability falls under CWE‑502, a known weakness for processing untrusted serialized data. Exploitation of this issue requires user interaction: a victim must visit a maliciously crafted URL or interact with a compromised web page. An attacker who succeeds can run arbitrary code with the privileges of the current user, potentially compromising configuration, data, and any connected clients.

Affected Systems

Adobe Connect from Adobe; versions 2025.3, 12.10 and all earlier releases are affected. Any installation of these versions—whether on a server or a client—is vulnerable.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, while the EPSS score of 4% indicates a very low but nonzero exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires user interaction, so a remote attacker must lure a user to a malicious link or page to trigger the flaw, with scope changed to affect the entire system.

Generated by OpenCVE AI on April 28, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Adobe Connect security update released by Adobe (APSb26-37).
  • If a patch cannot be applied immediately, restrict external access to the Connect server or block the services that accept serialized input.
  • Disable or limit the deserialization endpoint to prevent unauthorized payloads until the patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Wed, 22 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:connect:*:*:*:*:*:-:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:macos:*:*
cpe:2.3:a:adobe:connect_desktop_application:*:*:*:*:*:windows:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe connect
Adobe connect Desktop Application
Apple
Apple macos
Microsoft
Microsoft windows

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Wed, 15 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Title Adobe Connect | Deserialization of Untrusted Data (CWE-502)
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Connect Connect Connect Desktop Application
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-28T02:24:43.589Z

Reserved: 2026-03-30T17:30:36.489Z

Link: CVE-2026-34615

cve-icon Vulnrichment

Updated: 2026-04-14T18:30:34.576Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:17:36.373

Modified: 2026-04-28T15:40:09.080

Link: CVE-2026-34615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:30:35Z

Weaknesses