Cyber Posture

CVE-2026-27303

Critical

Published: 14 April 2026

Published
14 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0374 88.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a…

more

victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the deserialization of untrusted data vulnerability by applying vendor patches for affected Adobe Connect versions.

SI-10 Information Input Validation good match
prevent

Validates untrusted input from malicious URLs or web pages before deserialization, preventing arbitrary code execution.

SI-16 Memory Protection partial match
prevent

Implements memory protections such as DEP and ASLR to mitigate arbitrary code execution even if deserialization partially succeeds.

Security SummaryAI

CVE-2026-27303 is a Deserialization of Untrusted Data vulnerability (CWE-502) affecting Adobe Connect versions 2025.3, 12.10, and earlier. It enables arbitrary code execution in the context of the current user. The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no required privileges, user interaction, and changed scope.

Remote attackers can exploit this vulnerability by tricking victims into visiting a maliciously crafted URL or interacting with a compromised web page. Successful exploitation allows attackers to execute arbitrary code with the privileges of the current user, potentially leading to full system compromise on the victim's machine.

The official Adobe Security Bulletin APSB26-37 at https://helpx.adobe.com/security/products/connect/apsb26-37.html provides details on mitigation, including available patches for affected versions. Security practitioners should apply these updates promptly and advise users to avoid suspicious links.

Details

CWE(s)
CWE-502

Affected Products

adobe
connect
≤ 12.11
adobe
connect desktop application
≤ 2025.3 · ≤ 2025.9.15

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CVE-2026-27303 is a deserialization vulnerability in the public-facing Adobe Connect web application enabling remote arbitrary code execution with no privileges required, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References