Cyber Resilience

CVE-2026-27303

CriticalRCE

Published: 14 April 2026

Published
14 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0061 44.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27303 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Connect Desktop Application. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability tracked as CWE-502. The flaw carries a CVSS 3.1 score of 9.6 and can result in arbitrary code execution in the context of the current user, with changed scope.

An attacker can exploit the issue by supplying a maliciously crafted URL or compromised web page that the victim must visit or interact with. Successful exploitation grants the attacker the ability to execute arbitrary code without requiring authentication or other privileges.

The official Adobe advisory at https://helpx.adobe.com/security/products/connect/apsb26-37.html addresses the issue and outlines available patches and mitigation steps for affected Connect installations.

The associated EPSS score remains flat at 0.0470 with no material rise from its initial value, indicating limited observed exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a…

more

victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-27303 is a deserialization vulnerability in the public-facing Adobe Connect web application enabling remote arbitrary code execution with no privileges required, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34615Same product: Adobe Connect
CVE-2026-27246Same product: Adobe Connect
CVE-2026-27243Same product: Adobe Connect
CVE-2026-34617Same product: Adobe Connect
CVE-2026-27245Same product: Adobe Connect
CVE-2025-59237Same vendor: Microsoft
CVE-2025-55232Same vendor: Microsoft
CVE-2025-53772Same vendor: Microsoft
CVE-2026-21531Same vendor: Microsoft
CVE-2025-49712Same vendor: Microsoft

Affected Assets

adobe
connect
≤ 12.11
adobe
connect desktop application
≤ 2025.3 · ≤ 2025.9.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of untrusted serialized data supplied via malicious URLs before deserialization occurs, directly blocking arbitrary code execution.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block the payload resulting from successful deserialization of attacker-controlled data.

prevent

Requires timely application of vendor patches that remediate the deserialization flaw in Adobe Connect versions 2025.3 and earlier.

References