Regulatory Triage ICT Providers

Adobe

ERP & Business Platforms

Period: 7d 14d 30d 90d

116

Open CVEs

Exploited

KEV

111

Unpatched

No Workaround

Internet-facing

Why this provider is risky now

This provider has 116 open CVE(s) in the last 90 days. 1 listed in CISA KEV (known exploited). 111 have no vendor patch. 89 affect internet-facing services. 12 impact the management/identity plane.

1 KEV 1 Exploited 111 Unpatched 12 Mgmt / Admin Plane 1 Public PoC 28 No Workaround 89 Internet-facing

Top Risky CVEs

CVE-2026-34621

Act Now

Unpatched

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis.

Within 24 hours: Inventory all systems running Adobe Acrobat Reader versions 24.001.30356 or 26.001.21367 and earlier; disable PDF opening in email clients and restrict Adobe Reader to trusted document sources only. Within 7 days: Deploy endpoint controls blocking unsigned PDF execution; implement network segmentation isolating systems that require PDF processing; consider temporary use of alternative PDF viewers for non-critical workflows. Within 30 days: Monitor Adobe security advisories for patch release; test patch in isolated environment immediately upon vendor release; deploy patch to all vulnerable systems with priority to users receiving external documents.

Edge exposure ICT dependency Active exploitation No patch available KEV PoC

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing (CWE-1321: Prototype Pollution)
• Third-party ICT: Adobe
• Exploited in the wild (CISA KEV)
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Adobe (ERP & Business Platforms)
• Known exploited vulnerability (KEV)
• No remediation available

8.6

CVSS

0.2%

EPSS

118

Priority

CVE-2026-27303

Act Now

Unpatched

Remote code execution in Adobe Connect 12.10 and earlier (including 2025.3) allows unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization. Attack requires no user interaction despite UI:R in CVSS vector, with scope change enabling container escape or privilege escalation beyond the application context. Adobe released patch APSB26-37. EPSS score of 1.50% (81st percentile) indicates moderate exploitation probability. No active exploitation confirmed (SSVC: exploitation=none), but deserialization flaws are commonly targeted once details emerge.

Within 24 hours: Identify all Adobe Connect instances and their versions in your environment; consult Adobe security advisory APSB26-37 for patch availability and compatibility. Within 7 days: Apply vendor patch APSB26-37 to all affected Adobe Connect deployments (version 12.10 and earlier, including 2025.3); verify patch installation across all systems. Within 30 days: Conduct post-patch validation testing; review access logs for suspicious deserialization activity; confirm no rollback to unpatched versions.

Edge exposure ICT dependency No patch available

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-502: Deserialization of Untrusted Data)
• Third-party ICT: Adobe
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Adobe (ERP & Business Platforms)
• No remediation available

9.6

CVSS

1.5%

EPSS

Priority

CVE-2026-34659

Act Now

Unpatched

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current u

Edge exposure ICT dependency No patch available

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-502: Deserialization of Untrusted Data)
• Third-party ICT: Adobe
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Adobe (ERP & Business Platforms)
• No remediation available

9.6

CVSS

1.5%

EPSS

Priority

CVE-2026-34615

Act Now

Unpatched

Remote code execution in Adobe Connect 12.10 and earlier allows unauthenticated network attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability has changed scope (CVSS 9.3), enabling impact beyond the vulnerable component. Adobe issued patch APSB26-37. EPSS indicates 81st percentile risk with 1.44% probability, and CISA SSVC reports no active exploitation. The CVSS vector conflicts with the description: vector indicates user interaction required (UI:R) while description states 'does not require user interaction' - verify actual interaction requirements with Adobe advisory.

Within 24 hours: Identify all Adobe Connect deployments running version 12.10 or earlier and isolate affected instances from production networks if patch application cannot be completed immediately. Within 7 days: Apply Adobe patch APSB26-37 to all Adobe Connect instances; verify patch deployment across all systems. Within 30 days: Conduct vulnerability scan of all patched systems to confirm remediation; review access logs for exploitation attempts during the unpatched period.

Edge exposure ICT dependency No patch available

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-502: Deserialization of Untrusted Data)
• Third-party ICT: Adobe
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Adobe (ERP & Business Platforms)
• No remediation available

9.3

CVSS

1.4%

EPSS

Priority

CVE-2026-34660

Act Now

Unpatched

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An a

Edge exposure ICT dependency No patch available Management plane

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing technique: authentication-bypass, rce
• Third-party ICT: Adobe
• No patch available
• Management plane (Incorrect Authorization)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Adobe (ERP & Business Platforms)
• No remediation available
• Authentication / access control weakness

9.3

CVSS

0.5%

EPSS

Priority

CVE-2026-27243

Act Now

Unpatched

Reflected XSS in Adobe Connect versions 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component, elevating the severity to 9.3 despite being 'just' XSS. Requires user interaction (clicking malicious link) but no authentication. EPSS score of 0.10% (27th percentile) suggests low probability of mass exploitation. CISA SSVC framework rates this as non-automatable with total technical impact but no observed exploitation, indicating priority for patch deployment in internet-facing Adobe Connect deployments but not emergency response level.

Within 24 hours: Inventory all Adobe Connect deployments and identify which are internet-accessible; notify users of the vulnerability and advise against clicking unknown links to Connect instances. Within 7 days: Upgrade Adobe Connect to version 12.11 or later (when released by vendor); if unavailable, implement network-level access restrictions (WAF rules, IP allowlisting, or VPN-only access) to limit exposure surface. Within 30 days: Conduct post-patch validation and verify all instances run patched versions; review access logs for suspicious URL patterns indicative of exploitation attempts.

Edge exposure ICT dependency No patch available

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-79: Cross-site Scripting (XSS))
• Third-party ICT: Adobe
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Adobe (ERP & Business Platforms)
• No remediation available

9.3

CVSS

0.1%

EPSS

Priority

CVE-2026-27245

Act Now

Unpatched

Reflected XSS in Adobe Connect 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) indicates potential escape from Adobe Connect's application context to access other origins, elevating impact beyond typical reflected XSS. CVSS 9.3 reflects high confidentiality/integrity impact with scope change, though real-world exploitation requires social engineering (UI:R). EPSS score of 0.10% (27th percentile) and SSVC classification of non-automatable with no observed exploitation suggest this is lower priority than CVSS alone indicates, despite the high numerical score.

Within 24 hours: Inventory all Adobe Connect deployments and document current versions in use. Within 7 days: Communicate to end-users to avoid clicking suspicious links in Adobe Connect meeting invitations or emails, and educate administrators on the XSS risk vector. Within 30 days: Contact Adobe for patch availability status and timeline; in parallel, implement web application firewall (WAF) rules to detect and block reflected XSS payloads targeting Adobe Connect if feasible, and consider restricting Adobe Connect access to authenticated corporate networks only to reduce social engineering surface.

Edge exposure ICT dependency No patch available

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-79: Cross-site Scripting (XSS))
• Third-party ICT: Adobe
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Adobe (ERP & Business Platforms)
• No remediation available

9.3

CVSS

0.1%

EPSS

Priority

CVE-2026-27246

Act Now

Unpatched

DOM-based XSS in Adobe Connect 12.10 and earlier (including 2025.3) enables malicious JavaScript execution in victim browsers when users visit attacker-crafted webpages. The changed scope in CVSS vector (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security authority, potentially allowing lateral access to other Connect features or sessions. Adobe has released a patch in APSB26-37. EPSS exploitation probability is low (0.10%, 27th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting this is currently a theoretical risk rather than an imminent mass-exploitation threat.

Within 24 hours: Inventory all Adobe Connect deployments and versions currently in use; notify stakeholders of the vulnerability. Within 7 days: Apply Adobe patch APSB26-37 to all affected systems running version 12.10 or earlier, prioritizing production environments; validate patch installation. Within 30 days: Conduct post-patch security testing; implement user awareness training on not clicking suspicious links; review access logs for anomalous activity.

Edge exposure ICT dependency No patch available

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-79: Cross-site Scripting (XSS))
• Third-party ICT: Adobe
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Adobe (ERP & Business Platforms)
• No remediation available

9.3

CVSS

0.1%

EPSS

Priority

CVE-2026-42155

Act Now

Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory.

Within 24 hours: Inventory all OpenMage LTS deployments and versions; isolate or restrict API access if patch testing cannot begin immediately. Within 7 days: Apply vendor-released patch to all instances running OpenMage LTS ≤ 20.17.0; verify upgrade to patched version. Within 30 days: Conduct forensic review of API access logs from past 90 days for indicators of session hijacking; reset API credentials for all integrations as precaution.

ICT dependency Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Third-party ICT: Adobe
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Adobe (ERP & Business Platforms)

9.3

CVSS

0.0%

EPSS

Priority

CVE-2026-40488

This Week

Remote code execution in OpenMage Magento LTS versions before 20.17.0 allows authenticated attackers to upload executable PHP files through product custom options by bypassing an incomplete file extension blocklist. The vulnerability exists because the upload filter only blocks `.php` and `.exe` extensions, permitting alternative PHP-executable extensions like `.phtml`, `.phar`, `.php3-.php7`, and `.pht`. Uploaded files land in the publicly accessible `media/custom_options/quote/` directory, enabling code execution on servers without explicit script execution restrictions. No active exploitation confirmed (not in CISA KEV), but public disclosure via GitHub Security Advisory increases exploitation likelihood. EPSS data not provided.

Within 24 hours: inventory all OpenMage Magento LTS deployments and verify current version against 20.17.0. Within 7 days: apply vendor-released patch to upgrade to OpenMage Magento LTS version 20.17.0 or later on all affected instances; validate patch application in non-production environment first. Within 30 days: conduct security audit of user accounts with product upload permissions, review media/custom_options/quote/ directory for suspicious files, and implement Web Application Firewall rules to restrict PHP execution in upload directories.

Edge exposure ICT dependency Patched

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing (CWE-434: Unrestricted Upload of File)
• Third-party ICT: Adobe
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Adobe (ERP & Business Platforms)

8.7

CVSS

0.1%

EPSS

Priority

By Exposure

Internet-facing

Mgmt / Admin Plane

Identity / Auth

Internal only

By Exploitability

Known exploited

Public PoC

High EPSS (>30%)

Remote unauthenticated

Local only

By Remediation

Patch available

No patch

111

Workaround available

No workaround

Affected Services / Product Families

Adobe

116 CVE(s)

CVE-2026-27220 HIGH Unpatched

CVE-2026-27221 MEDIUM Unpatched

CVE-2026-27278 HIGH Unpatched

CVE-2026-21333 HIGH Unpatched

CVE-2026-21362 HIGH Unpatched

CVE-2026-27267 HIGH Unpatched

CVE-2026-27268 MEDIUM Unpatched

CVE-2026-27270 MEDIUM Unpatched

CVE-2026-27271 HIGH Unpatched

CVE-2026-27272 HIGH Unpatched

+ 106 more

Magento

18 CVE(s)

CVE-2026-21282 MEDIUM Unpatched

CVE-2026-21284 HIGH Unpatched

CVE-2026-21285 MEDIUM Unpatched

CVE-2026-21286 MEDIUM Unpatched

CVE-2026-21289 HIGH Unpatched

CVE-2026-21290 HIGH Unpatched

CVE-2026-21291 MEDIUM Unpatched

CVE-2026-21292 MEDIUM Unpatched

CVE-2026-21293 MEDIUM Unpatched

CVE-2026-21294 MEDIUM Unpatched

+ 8 more

Acrobat

3 CVE(s)

CVE-2026-27220 HIGH Unpatched

CVE-2026-27221 MEDIUM Unpatched

CVE-2026-27278 HIGH Unpatched

Recommended Actions

Immediately patch or isolate 1 CVE(s) listed in CISA KEV Evaluate compensating controls for 28 unpatched CVE(s) with no workaround Review WAF/firewall rules for 89 internet-facing CVE(s) Audit authentication and access control for 12 management-plane CVE(s) Escalate to Adobe – patch rate is 4% Track Adobe vendor advisories for remediation timeline