Description
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Published: 2026-05-12
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are vulnerable to a deserialization of untrusted data flaw (CWE‑502). The weakness is exploitable to run arbitrary code under the context of the user whose browser visits a crafted URL or a compromised web page. The vulnerability changes the scope of the attack, allowing the attacker to gain control over the entire client application. Consequently, the impact is a high‑severity compromise of confidentiality, integrity, and availability for any affected user.

Affected Systems

Adobe Connect by Adobe, specifically versions 2025.9.15, 2025.8.157 and earlier. There is no mention of other versions or editions.

Risk and Exploitability

The CVSS score of 9.6 indicates critical severity. EPSS data is not available, so the exploitation probability cannot be quantified, but the vulnerability is listed as not part of the KEV catalogue. The attack requires user interaction – a victim must visit a maliciously crafted URL or interact with a compromised web page – and then the deserialization flaw is triggered. Given the catastrophic consequence of arbitrary code execution, the overall risk to organizations using these versions is extremely high.

Generated by OpenCVE AI on May 12, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Adobe Connect to a patch version newer than 2025.9.15
  • If an update is not immediately possible, restrict Connect service to trusted internal networks and block external access from untrusted hosts
  • Deploy a web application firewall or equivalent filtering to block crafted URLs and monitor traffic for known deserialization attack patterns
  • Limit the number of users with administrative privileges and enforce strong authentication to reduce the impact of a successful exploit

Generated by OpenCVE AI on May 12, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Title Adobe Connect | Deserialization of Untrusted Data (CWE-502)
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Adobe Connect
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T03:58:20.023Z

Reserved: 2026-03-30T17:30:36.493Z

Link: CVE-2026-34659

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T19:16:30.800

Modified: 2026-05-12T19:16:30.800

Link: CVE-2026-34659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:15:27Z

Weaknesses