Cyber Resilience

CVE-2026-34615

CriticalRCE

Published: 14 April 2026

Published
14 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0063 45.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34615 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Connect Desktop Application. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability, identified as CVE-2026-34615 and assigned CWE-502. The flaw can result in arbitrary code execution in the context of the current user and is rated 9.3 under CVSS 3.1 with network attack vector, low complexity, no required privileges, required user interaction, and changed scope.

An unauthenticated attacker can exploit the issue by supplying a maliciously crafted URL or compromised web page that the victim must visit or interact with, enabling injection of malicious scripts that may yield elevated access or control over the victim's account or session.

The Adobe security advisory at https://helpx.adobe.com/security/products/connect/apsb26-37.html provides further details on the issue. The EPSS score remains flat at a peak and current value of 0.0451 with no material rise after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts…

more

into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-34615 is a deserialization vulnerability in Adobe Connect, a public-facing web application, enabling remote arbitrary code execution with no privileges required (AV:N/AC:L/PR:N), directly mapping to Exploit Public-Facing Application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27303Same product: Adobe Connect
CVE-2026-27246Same product: Adobe Connect
CVE-2026-27243Same product: Adobe Connect
CVE-2026-34617Same product: Adobe Connect
CVE-2026-27245Same product: Adobe Connect
CVE-2025-59237Same vendor: Microsoft
CVE-2025-55232Same vendor: Microsoft
CVE-2025-53772Same vendor: Microsoft
CVE-2026-21531Same vendor: Microsoft
CVE-2025-49712Same vendor: Microsoft

Affected Assets

adobe
connect
≤ 12.11
adobe
connect desktop application
≤ 2025.3 · ≤ 2025.9.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted data before deserialization, blocking the malicious serialized payload that enables arbitrary code execution.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block the injected scripts or code resulting from successful deserialization.

preventdetect

Enforces integrity verification on inputs and software components, allowing detection of unauthorized modifications introduced via the crafted URL or web page.

References