Adobe Connect is Adobe's webinar/video conferencing platform, used by educational institutions, HR training departments, and coaching/consulting firms to host online sessions. On May 12, 2026, Adobe disclosed two CRITICAL CVEs affecting Adobe Connect ≤ 2025.9.15:
- CVE-2026-34659 (CVSS 9.6) — Deserialization of untrusted data → RCE
- CVE-2026-34660 (CVSS 9.3) — Incorrect Authorization → script injection in user context
Both require user interaction (clicking a malicious link or interacting with a compromised page) but have a changed scope (the attack crosses isolation boundaries and impacts beyond the vulnerable component). Classic webinar CVE pattern: an attacker sends a link via email/Slack, the victim clicks thinking it's a legitimate session, and their account is compromised.
CVE-2026-34659 — Deserialization of Untrusted Data (RCE)
Component and mechanism
The Adobe Connect Desktop Application (and likely the server-side web component too) deserializes data received from an external channel (crafted URL, network payload, invitation file) without signature or type validation. Adobe frameworks have historically used Java/.NET serializations with known gadget chains (BlazeDS, AMF, Java Serialization, .NET BinaryFormatter).
The attack follows the classic pattern:
- The attacker crafts a malicious Adobe Connect URL
- The victim clicks → the desktop app processes the URL
- The serialized payload contains a gadget chain that invokes magic methods on deserialization
- A chain method eventually calls
Runtime.exec(),ProcessStartInfo, or equivalent - RCE in the user's context
Characteristics
| Field | Value |
|---|---|
| CVSS 3.1 | 9.6 (CRITICAL) |
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| CWE | CWE-502 (Deserialization of Untrusted Data) |
| Scope | Changed |
| User interaction | Required |
CVE-2026-34660 — Incorrect Authorization (script injection)
Component and mechanism
This CVE is more subtle: an authorization flaw lets an attacker inject scripts into a Connect page that then run in the victim's session context.
Similar vector but with C:H/I:H/A:N impact (no availability), suggesting:
- The attacker injects JavaScript into a Connect page (chat, slide, profile)
- The victim visits the page → script runs client-side
- Session hijacking: the script steals cookies, tokens, or performs actions as the victim
- Adobe Connect account compromise
Characteristics
| Field | Value |
|---|---|
| CVSS 3.1 | 9.3 (CRITICAL) |
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N |
| CWE | CWE-863 (Incorrect Authorization) + CWE-79 (XSS implicit) |
| Scope | Changed |
Affected Products and Versions
| Product | Affected versions | Patched version |
|---|---|---|
| Adobe Connect Desktop Application | ≤ 2025.9.15 | See official bulletin |
| Adobe Connect | ≤ 2025.8.157 | See official bulletin |
Check the installed version:
- Desktop app: open the app → Help → About → version number
- On-premises Adobe Connect server: Admin Console → System → Server Status
Exploitation and Impact
Realistic scenarios
Scenario 1 — Email phishing with a Connect link
An attacker sends an email "HR training invitation" with a link https://your-connect-instance.adobeconnect.com/...?room=ABC&payload=<malicious>. The victim clicks, the desktop app opens, the deserialized payload runs in their user context.
Impact: stored credential theft, profile access, local file exfiltration, persistence via Task Scheduler.
Scenario 2 — Script injected into a shared slide
A guest user in an Adobe Connect session (fake name, fake account) injects JavaScript via a chat field or profile. When a presenter or another participant refreshes the page, the script runs in their session.
Impact: presenter account hijacking (higher privileges), session recording, exfiltration of participants list and emails.
Real-world attack context
Adobe Connect CVEs are regularly exploited in targeted campaigns against government or educational organizations. The Adobe Connect stack has been targeted by several documented APTs (notably China- and Russia-linked actors running academic espionage).
Detection and IOCs
Adobe Connect logs (on-premises server)
# Typical log path
/opt/adobe/Adobe-Connect-*/server/logs/
Indicators:
- Abnormal volume of requests to malformed Connect URLs
- Java/.NET serialization patterns in payloads
- Repeated 500 codes on specific endpoints
- Admin sessions created from unusual IPs
Endpoint logs (user-side)
- Unexpected processes spawned by
AdobeConnect.exeor the Adobe JVM - Files created in
%LOCALAPPDATA%\Adobe\Connect - Outbound connections to non-Adobe destinations
Indicative Sigma rule (adapt as needed)
title: Adobe Connect deserialization payload pattern
logsource:
product: adobe_connect
detection:
selection:
request_body|contains:
- 'rO0AB' # Java serialization magic
- 'AC ED 00 05' # Java serialization hex
- '0001000FAxis' # AMF
condition: selection
level: high
Mitigation and Patch
Immediate action: patch
Adobe published patched versions on the support portal:
https://helpx.adobe.com/security/products/connect/apsb26-XX.html
(Exact bulletin number depends on Adobe's release — check the portal.)
Desktop app
- Open the app → Help menu → Check for updates
- Or uninstall and reinstall from the Adobe portal
On-premises Connect server
Follow Adobe's official procedure to apply the patch (may require a few minutes of service interruption).
Temporary workaround if patching is delayed
- Uninstall the desktop app: force users onto the web version (less exposed to deserialization, constrained by the browser)
- Block untrusted Connect URLs at the corporate proxy — allow only your tenant's URLs
- User awareness: phishing training against Connect-themed lures
Long-term hardening
- Force the web app for external (guest) users — reserve the desktop app for internal staff
- Enable SSO with Entra ID / Okta and strong MFA
- Regular audit of sessions and guest participants
- Centralized logs to a SIEM with alerts on suspect patterns
Why Continuous Monitoring of Collaboration Tools Matters
Video/webinar/collaboration tools (Adobe Connect, Zoom, Webex, Teams, Slack…) are prime targets because they combine: public exposure via invitations, untrusted file processing, and elevated user privileges (access to enterprise resources via SSO). A CVE like Adobe Connect's can serve as an APT entry point into sensitive organizations.
With cveo.tech, inventory your collaboration tools and their client/server versions deployed across your fleet and get automatic alerts the moment a critical CVE targets one of your versions — so you push updates via MDM/GPO before phishing campaigns hit your users.