Back

Adobe and Microsoft Address Critical Vulnerabilities in June 2026 Security Update

Severity: High (Score: 70.5)

Sources: Thezdi, Heise.De, helpx.adobe.com

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: adobe, security, patchday, vulnerabilities, patch, closes, over

Severity indicators: vulnerabilities

Summary

In June 2026, Adobe and Microsoft released significant security updates addressing over 571 CVEs, including critical vulnerabilities in Adobe Campaign Classic and ColdFusion. Adobe's updates included 11 bulletins that fixed 123 unique CVEs, with two critical vulnerabilities in Campaign Classic (CVE-2026-48303, CVE-2026-47938) rated 10/10 on the CVSS scale. These vulnerabilities could allow attackers to execute malicious code and compromise systems. Microsoft patched 208 CVEs, with 38 rated critical, affecting various products including Windows and Office. Although no active exploitation has been reported, the potential for future attacks remains high, especially for Adobe Reader and ColdFusion. Security teams are urged to prioritize these updates to mitigate risks. Key Points: • Adobe fixed 123 vulnerabilities, including two critical CVEs in Campaign Classic with a CVSS score of 10. • Microsoft's June update addressed 208 CVEs, with 38 classified as critical. • No active exploits have been reported, but the vulnerabilities pose significant risks for future attacks.

Detailed Analysis

**Impact** Adobe users across multiple products including Campaign Classic, ColdFusion, Acrobat Reader, Experience Manager, and InDesign are affected by 123 unique CVEs, with two critical vulnerabilities in Campaign Classic rated CVSS 10.0. Microsoft users face an unprecedented 208 CVEs across Windows, Office, Edge, Azure, and other components, with 38 critical vulnerabilities. The vulnerabilities threaten systems globally on Windows and Linux platforms, potentially allowing full system compromise, privilege escalation, and code execution. No active exploitation has been reported yet, but some Microsoft vulnerabilities are under active exploitation or publicly known. **Technical Details** Critical Adobe vulnerabilities include CVE-2026-48303 and CVE-2026-47938 in Campaign Classic, allowing remote code execution, and multiple critical CVEs in ColdFusion (e.g., CVE-2026-47928, CVE-2026-47929) enabling code execution and privilege escalation. Experience Manager Forms has critical stored and reflected XSS vulnerabilities (CVE-2026-34691, CVE-2026-34693). Microsoft patched 208 CVEs including one actively exploited and three publicly known, affecting core OS components, Office, Edge (Chromium), Azure, and security features like Secure Boot and BitLocker. No specific malware or IOCs were provided. **Recommended Response** Apply Adobe patches immediately for Campaign Classic (v7.4.3 build 9396), ColdFusion 2023/2025 updates, and Experience Manager versions as per advisories, prioritizing Campaign Classic and ColdFusion. Deploy Microsoft June 2026 patches promptly, focusing on critical and actively exploited vulnerabilities. Monitor for unusual activity related to code execution and privilege escalation attempts, and review security configurations for affected Adobe and Microsoft products. No specific detection signatures or IOCs are available; maintain heightened vigilance for emerging threat intelligence.

Source articles (3)

  • The June 2026 Security Update Review — Thezdi · 2026-06-09
    I’ve made it through Pwn2Own Berlin, had a little vacation, and now I’m back for Patch Tuesday. Microsoft and Adobe didn’t disappoint. In fact, they have heralded my return with the largest Patch Tues…
  • Patchday: Adobe closes over 120 security vulnerabilities in InDesign & Co. — Heise.De · 2026-06-10
    On this Patchday, two “critical” security vulnerabilities with the highest rating in Adobe Campaign Classic are considered the most dangerous. Malicious code can thus enter PCs and completely compromi…
  • can be found by admins in the official security advisories. — helpx.adobe.com · 2026-06-10

Timeline

  • 2026-05-19 — CVE-2026-45585 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-41091 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-04 — CVE-2026-47655 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-04 — CVE-2026-47644 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-04 — CVE-2026-48579 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-04 — CVE-2026-42824 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-04 — CVE-2026-45497 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-04 — CVE-2026-48567 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-09 — Adobe and Microsoft June security updates released: Adobe issued 11 bulletins for 123 CVEs, while Microsoft patched 208 CVEs across multiple products.
  • 2026-06-09 — Critical vulnerabilities identified in Adobe Campaign Classic: Two critical vulnerabilities (CVE-2026-48303, CVE-2026-47938) with a CVSS score of 10 were disclosed, allowing potential system compromise.

CVEs

  • CVE-2025-10263
  • CVE-2026-26142
  • CVE-2026-32193
  • CVE-2026-33113
  • CVE-2026-33828
  • CVE-2026-34335
  • CVE-2026-34691
  • CVE-2026-34693
  • CVE-2026-40371
  • CVE-2026-40376
  • CVE-2026-40404
  • CVE-2026-40409
  • CVE-2026-41091
  • CVE-2026-41092
  • CVE-2026-41098
  • CVE-2026-41108
  • CVE-2026-42824
  • CVE-2026-42828
  • CVE-2026-42829
  • CVE-2026-42835
  • CVE-2026-42836
  • CVE-2026-42837
  • CVE-2026-42902
  • CVE-2026-42903
  • CVE-2026-42904
  • CVE-2026-42905
  • CVE-2026-42906
  • CVE-2026-42907
  • CVE-2026-42908
  • CVE-2026-42909

Related entities

  • DoS (Attack Type)
  • Malware (Attack Type)
  • Ransomware (Attack Type)
  • XSS (Vulnerability)
  • CWE-269 - Improper Privilege Management (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • german.it (Domain)
  • T1059.001 - PowerShell (Mitre Attack)
  • Adobe Campaign Classic (Platform)
  • Adobe InDesign (Platform)
  • AEM 6.5 LTS Service Pack 2 (Platform)
  • AEM 6.5 Service Pack 25 (Platform)
  • AEM Cloud Service (Platform)
  • Azure Attestation Service (Platform)
  • Azure HorizonDB (Platform)
  • Azure Kubernetes Service (Platform)
  • Azure Network Adapter (Platform)
  • Azure Stack Edge (Platform)
  • ColdFusion 2023 (Platform)
  • ColdFusion 2025 (Platform)
  • Copilot (Platform)
  • Copilot Chat (Platform)
  • DHCP Client Service (Platform)
  • Experience Manager Forms (Platform)
  • HTTP.sys (Platform)
  • Linux (Platform)
  • M365 Copilot (Platform)
  • Microsoft Defender (Platform)
  • Microsoft Edge (Platform)
  • Microsoft Office (Platform)
  • Nuance PowerScribe (Platform)
  • Remote Desktop Client (Platform)
  • Windows (Platform)
  • Windows Active Directory Domain Services (Platform)
  • Windows BitLocker (Platform)
  • Windows Deployment Services (Platform)
  • Windows Device Health Attestation (Platform)
  • Windows Graphics Component (Platform)
  • Windows Hyper-V (Platform)
  • Azure (Company)
  • Remote Desktop (Tool)
  • PowerShell (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed