eastbaycyber

CVE-2026-47938: Critical SSRF Vulnerability in Adobe Campaign Classic

CVE explainers 10 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-06-09
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-47938
CVSS score 10.0 (Critical)
Attack vector SSRF; exact CVSS vector not confirmed from available source data
Auth required Unknown from retrieved primary source data; defenders should assume remote reachability until proven otherwise
Patch status Vendor bulletin exists, but exact fixed build could not be confirmed from retrievable primary-source text in this session

TL;DR - Critical SSRF in Adobe Campaign Classic may lead to code execution. - Affects 7.4.3 build 9394 and earlier; upgrade beyond that range. - No confirmed in-the-wild exploitation or verified public PoC yet, but prioritize fast remediation.

AnalystImpact · assess the risk

What happened and why this matters

CVE-2026-47938 is a critical server-side request forgery vulnerability in Adobe Campaign Classic (ACC). According to the NVD description, Adobe Campaign Classic versions 7.4.3 build 9394 and earlier are affected. NVD further states that successful exploitation could result in arbitrary code execution in the context of the current user, that no user interaction is required, and that scope is changed. Those details make this more than a typical low-impact SSRF finding.

For practitioners, the important takeaway is that this is not just an issue of internal metadata exposure or limited backend probing. The available description explicitly links the SSRF condition to possible code execution, which elevates the operational risk substantially. In an Adobe Campaign environment, that means defenders should treat the issue as potentially enabling an attacker to force the application to make backend requests that reach sensitive internal services or trigger unsafe server-side behaviors, with possible compromise of the application tier or adjacent services.

Because the exact CVSS vector string was not present in the available NVD tool response, you should avoid repeating an unverified vector. However, a CVSS base score of 10.0 is enough to justify emergency review, especially for internet-exposed Campaign infrastructure or instances with broad internal network access. Even without confirmed exploitation, the combination of critical severity, no user interaction, and possible code execution is enough to move this into immediate remediation planning.

Affected versions and exposure scope

The affected product identified in the available source material is Adobe Campaign Classic (ACC). The vulnerable range quoted by NVD is specific: “7.4.3 build 9394 and earlier.” That wording matters. If your deployment inventory shows ACC 7.4.3 build 9394 or any earlier build or release in that branch, you should assume exposure unless Adobe documentation for your exact package states otherwise.

The exact fixed version or fixed build number is not confirmed from retrievable primary-source content in this session. The NVD reference points to Adobe bulletin APSB26-66, but the bulletin could not be fetched successfully during research due to repeated timeouts. It would be irresponsible to invent a fixed build number. Therefore, the most accurate statement is:

Version status Detail
Known vulnerable Adobe Campaign Classic 7.4.3 build 9394 and earlier
Exact fixed version/build Unknown from retrieved primary-source text
Defender assumption Upgrade to an Adobe release/build later than 7.4.3 build 9394 only after validating the vendor bulletin or release notes internally

If your organization relies on a managed hosting provider, system integrator, or Adobe support for Campaign maintenance, confirm the deployed build immediately. Many teams know the major version but not the exact build number, and this is one of those cases where the build number is central to triage. Asset owners should not close the issue until they have positive confirmation that their instance is running a build newer than the vulnerable range.

Exploitation status and attacker interest

At the time of writing, exploitation in the wild is not confirmed from the available evidence. Specifically, CISA KEV does not list CVE-2026-47938, so there is no KEV-backed confirmation of active exploitation. That does not mean the risk is low; it only means there is no public CISA confirmation currently available through KEV.

Likewise, no verified public proof of concept (PoC) was identified in this research session. No trustworthy GitHub exploit repository, exploit writeup, or vendor-provided technical reproducer was confirmed from the available sources. Practitioners should record this accurately: no verified PoC is known from the retrieved evidence. Avoid overstating either safety or danger. The correct posture is that exploitability details are limited publicly, but the vendor/NVD severity and impact statement justify urgency anyway.

This distinction matters for prioritization. A critical issue with no public PoC can still become a target quickly once patch diffing begins or reverse engineers analyze the fix. Since the advisory reference exists and the issue is newly published, assume capable attackers may attempt to reproduce it even if a turnkey exploit is not yet circulating publicly.

What defenders should do next

First, identify whether any Adobe Campaign Classic deployments in your environment are running 7.4.3 build 9394 or earlier. If you cannot determine the build number quickly, treat the system as potentially vulnerable until confirmed otherwise. Exposure is especially urgent for internet-reachable instances or any Campaign server with broad access to internal services.

Second, pull together three teams: the application owner, the infrastructure team responsible for egress controls, and the SOC or detection engineering team. The app owner validates version/build status, infrastructure constrains outbound connectivity, and the SOC hunts for suspicious SSRF indicators. Even without a public PoC, this coordinated approach reduces both exploitability and dwell time.

Third, watch for updated vendor or community guidance. The current data set confirms the vulnerable version range and the severity, but not the exact fixed build or exploitation mechanics. In the absence of complete vendor detail, defenders should assume the flaw is serious, remotely relevant, and likely to attract attention because of its CVSS 10.0 rating and possible path to code execution.

ResponderRunbook · act now

Detection and triage guidance

Detection is challenging because SSRF often blends into legitimate application behavior. In Adobe Campaign Classic, the practical defensive goal is to identify unexpected outbound requests initiated by the application server, especially to internal address space, cloud metadata endpoints, loopback addresses, or unusual protocols if the stack supports them.

Start by reviewing web application logs, reverse proxy logs, egress firewall logs, and host telemetry around your ACC infrastructure. Look for sequences where an external request to Campaign is followed almost immediately by the Campaign server making outbound connections to destinations it does not normally contact. In mature environments, a baseline of legitimate Campaign egress destinations will help you separate normal integrations from suspicious traffic. In less mature environments, assume any Campaign-initiated request to RFC1918 space, localhost, link-local addresses, or infrastructure control planes deserves review.

A practical triage checklist includes:

Check Why it matters
Outbound connections from ACC to internal IP ranges Common SSRF post-exploitation behavior
Requests to 169.254.169.254 or cloud metadata paths High-value target for SSRF across cloud environments
Reverse proxy requests containing full URLs in parameters SSRF payloads often submit attacker-controlled URLs
Sudden connections from ACC hosts to uncommon ports May indicate service probing or chaining to RCE
Application errors after crafted URL input Failed SSRF attempts can generate telltale exception patterns

Technical Notes

If you have HTTP access logs in front of Adobe Campaign, start with generic SSRF hunting for user-supplied URLs or internal targets. The exact parameter names for this CVE are not publicly confirmed in the available sources, so focus on patterns rather than a single URI.

169.254.169.254
127.0.0.1
localhost
::1
10.
172.16.
172.17.
172.18.
172.19.
172.2
172.30.
172.31.
192.168.
file://
gopher://
ftp://
http://
https://

Example grep approach for reverse proxy or WAF logs:

grep -E '169\.254\.169\.254|127\.0\.0\.1|localhost|192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|file://|gopher://' /var/log/nginx/access.log

Example Splunk query for suspicious inbound requests and app-driven egress pivots:

(index=web OR index=proxy)
(host="acc*" OR sourcetype=nginx OR sourcetype=apache)
("169.254.169.254" OR "127.0.0.1" OR "localhost" OR "192.168." OR "10." OR "172.16." OR "172.17." OR "172.18." OR "172.19." OR "file://" OR "gopher://")
| stats count by _time, src_ip, dest_ip, uri, user_agent, host

If you have network IDS coverage, a simple starting signature is to alert when Adobe Campaign hosts make unexpected HTTP requests to cloud metadata endpoints:

alert tcp $ACC_SERVERS any -> 169.254.169.254 80 (msg:"ACC possible SSRF to cloud metadata"; flow:to_server,established; content:"GET"; http_method; sid:4793801; rev:1;)

These patterns are not CVE-specific proof of exploitation. They are investigation leads. Because the exact request path and exploitation chain are not publicly confirmed in the available data, defenders should combine these hits with change windows, normal integration inventory, and process-level telemetry from the ACC hosts.

Mitigation and patching

The preferred mitigation is to upgrade Adobe Campaign Classic to a build later than 7.4.3 build 9394, but again, the exact fixed build number is not confirmed from the retrievable primary-source advisory text in this session. That means defenders should not guess. Instead, pull the Adobe bulletin internally, validate the supported fixed build for your branch, and document it in the change record before rollout.

If you cannot patch immediately, compensating controls should focus on reducing the blast radius of SSRF. Most SSRF defenses come down to controlling what the application server can reach. Restrict outbound connectivity from ACC servers to only approved integration destinations. Block access to link-local metadata endpoints such as 169.254.169.254, loopback, unnecessary internal admin services, and arbitrary internet egress where possible. If a reverse proxy or WAF is in front of the application, add temporary rules to reject requests containing absolute URLs or suspicious protocol handlers in parameters that should never accept remote resource locations.

In parallel, review service account permissions and host-level controls. Because NVD states code execution may occur in the context of the current user, the privileges of the ACC service account matter. If that account has broad OS rights or network reach, the downstream impact rises significantly. Tightening account permissions and isolating the host may reduce the consequences of exploitation while you schedule the vendor-approved update.

Technical Notes

Because Adobe Campaign deployment and upgrade procedures vary by packaging and operating environment, use vendor-approved maintenance instructions for your exact installation. The command examples below are operational placeholders for package validation and controlled service management, not a substitute for Adobe documentation.

Check installed package/build information on Linux systems where package metadata is available:

rpm -qa | grep -i campaign
dpkg -l | grep -i campaign

Document the running services before maintenance:

systemctl list-units | grep -Ei 'campaign|nlserver|apache|httpd'
systemctl status nlserver

If your temporary mitigation is outbound filtering, example host firewall controls on Linux could look like this:

# Block cloud metadata endpoint
iptables -A OUTPUT -d 169.254.169.254 -j REJECT

# Block loopback abuse over non-local interfaces is usually handled by routing,
# but block RFC1918 egress except approved destinations as part of segmentation.
ip6tables -A OUTPUT -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -d 192.168.0.0/16 -j REJECT

If your reverse proxy can enforce simple SSRF guardrails, block suspicious absolute URL patterns in user-controlled inputs where business logic allows. For NGINX, a temporary request filter might be implemented cautiously after testing:

if ($request_uri ~* "(169\.254\.169\.254|127\.0\.0\.1|localhost|file://|gopher://)") {
    return 403;
}

For the actual upgrade, the safest instruction based on current evidence is procedural rather than a fabricated one-liner: obtain the Adobe Campaign Classic build newer than 7.4.3 build 9394 that APSB26-66 identifies as fixed, deploy it in maintenance mode, and verify post-upgrade build numbers before returning the service to production. If you do not have direct Adobe access, escalate through your vendor support channel immediately.

References

Source URL
Adobe Security Bulletin APSB26-66 https://helpx.adobe.com/security/products/campaign/apsb26-66.html
NVD entry for CVE-2026-47938 NVD description as cited in available research data

For further reading on similar vulnerabilities, see our article on what is security information and event management and check our FAQ on how to protect your laptop while traveling.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-06-09

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.