Adobe Ships Emergency Fixes for Seven CVSS 10.0 Bugs in ColdFusion, Campaign Classic
Out-of-band advisories cover arbitrary code execution and privilege escalation paths. Administrators face a short remediation window before public exploit code is likely.

Adobe published patches Tuesday for a cluster of maximum-severity vulnerabilities in ColdFusion and Campaign Classic, several carrying CVSS base scores of 10.0.
The ColdFusion advisory (APSB25-93) states the update "resolves critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass." Read that verb list closely. Each of those outcomes maps to a distinct enforcement concern under existing disclosure regimes.
Adobe assigns its own priority ratings alongside CVSS. Products carrying a Priority 1 designation trigger the vendor's recommendation of a 72-hour patch window — a timeline federal civilian agencies will effectively inherit if CISA adds any of these CVEs to the Known Exploited Vulnerabilities catalog.
The Campaign Classic advisory covers a parallel set of code-execution and privilege-escalation defects in the on-premises marketing automation product. Cloud-hosted tenants are updated by Adobe directly. Self-managed deployments are not.
Why this matters for reporting obligations.
ColdFusion sits inside a large number of legacy application stacks at regulated entities, including registrants subject to the SEC's cyber disclosure rule under Item 1.05 of Form 8-K. A confirmed intrusion exploiting one of these flaws would start the four-business-day clock upon a materiality determination. The rule became effective December 18, 2023, and the Commission has already brought enforcement actions tied to disclosure quality rather than the breach itself.
EU-based operators running Campaign Classic should also consider the notification timelines under NIS2 Article 23, which requires an early warning within 24 hours of awareness of a significant incident and an incident notification within 72 hours. Member state transposition remains uneven, but the substantive triggers are in force.
Critical infrastructure entities in the United States should watch for the pending CIRCIA final rule from CISA. The notice of proposed rulemaking closed its comment period in July 2024. The final rule is expected to set a 72-hour covered-incident reporting requirement and a 24-hour ransom-payment reporting requirement. Neither is enforceable yet. Both will be soon.
Exploitation history matters here. ColdFusion has been a recurring target: CVE-2023-26360 was added to CISA's KEV list in March 2023 and cited in a subsequent federal agency compromise. That pattern shapes how quickly defenders should treat the current batch.
Adobe credits multiple external researchers in the advisory acknowledgments. No in-the-wild exploitation has been reported at publication time.
Administrators should apply the updates, review ColdFusion administrator access logs, and document the remediation timeline for any future regulator inquiry.



