Adobe has shipped security patches addressing seven maximum-severity vulnerabilities in two enterprise platforms. The flaws affect ColdFusion, a web application development environment, and Campaign Classic, a marketing automation solution. No CVEs were specified in the advisory, but Adobe rates all seven as critical.

The vulnerabilities carry the highest possible severity rating under Adobe's own scoring system, indicating they could allow remote code execution or complete system compromise. While Adobe has not disclosed exploitation status, the maximum-severity designation typically signals high risk for unpatched deployments. ColdFusion has been a frequent target for attackers, including state-backed groups, in recent years.

Technical details remain sparse, but the flaws likely involve deserialization, injection, or memory corruption vectors commonly found in ColdFusion. No indicators of compromise have been published, and Adobe has not released proof-of-concept code. Users should assume the vulnerabilities are exploitable without authentication in some scenarios.

Patches are available immediately via Adobe's update mechanism for both platforms. ColdFusion admin dashboards and Campaign Classic console installations should prioritize the update. For environments where patching is delayed, Adobe recommends restricting network access to affected services as a workaround.

Attribution for discovering the bugs has not been disclosed. Adobe credits internal security teams and external researchers in its advisory but names no specific individuals. The breadth of the fix — covering two different platforms with simultaneous max-severity patches — suggests a coordinated disclosure effort.