Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Network-reachable authorization bypass needing no auth or interaction yields PR:N/UI:N/AC:L, and code execution crossing the component boundary justifies S:C with full C/I/A impact.
Primary rating from Vendor (adobe).
CVSS VectorVendor: adobe
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Articles & Coverage 1
AnalysisAI
Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9396 and earlier allows unauthenticated attackers to bypass authorization controls and run arbitrary code in the context of the current user. The flaw stems from an incorrect authorization check (CWE-863) reachable over the network with no user interaction, and the changed scope means impact can extend beyond the vulnerable component. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of Adobe Campaign Classic version 7.4.3 build 9396 and earlier, per the CVSS vector AV:N/AC:L/PR:N/UI:N and the description's explicit note that exploitation does not require user interaction. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available severity signals point to top-tier priority: the CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H scores a maximum 10.0, indicating network-reachable, low-complexity, unauthenticated exploitation with no user interaction and full confidentiality, integrity and availability impact across a changed scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to an internet-exposed Adobe Campaign Classic server sends crafted requests to a privileged endpoint, abusing the incorrect authorization check to invoke functionality that should require authentication. Because no credentials and no user interaction are needed, the attacker chains the bypass into arbitrary code execution in the context of the ACC service, gaining a foothold on the host. … |
| Remediation | Patch available per vendor advisory: upgrade Adobe Campaign Classic to the fixed release identified in Adobe Security Bulletin APSB26-69 (https://helpx.adobe.com/security/products/campaign/apsb26-69.html), as builds at or below 7.4.3 build 9396 are vulnerable; the exact patched build should be confirmed directly from that bulletin before deployment as a specific fix version was not included in the provided data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all ACC deployments and identify systems running version 7.4.3 build 9396 or earlier; implement network segmentation to restrict ACC access to trusted internal networks only; enable detailed logging of all authentication and authorization events. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40337
GHSA-f44v-356v-7qcf