Adobe Campaign Classic versions 7.4.3 build 9394 and earlier contain an incorrect authorization flaw (CWE‑863) that allows an attacker to execute arbitrary code in the context of the user who accesses the system. The vulnerability does not require any user interaction, and the flaw changes the security scope, giving the attacker full control over the affected instance. An attacker who can reach the affected functions could run malicious code and compromise the confidentiality, integrity, and availability of the application and its underlying data.

The affected products are Adobe Campaign Classic (ACC) from Adobe. Users running ACC version 7.4.3 build 9394 or earlier are at risk. No other versions are listed as affected.

The CVSS score of 10 indicates maximum severity, and the lack of an EPSS score does not diminish the high likelihood that an attacker with sufficient resources could target an exposed instance. The vulnerability does not require user interaction, so a remote attacker could exploit the flaw through exposed web interfaces or APIs. Because the flaw changes scope, a single mis‑authorized action can lead to full compromise. The vulnerability is not listed in CISA's KEV catalog, but its criticality warrants immediate attention. The likely attack vector is inferred to be via a public‑facing service such as a web application or API, based on the description stating no user interaction is needed and that scope is changed.