Critical Adobe Connect RCE: Deserialization Flaw Puts Users at Risk

A critical deserialization of untrusted data vulnerability, tracked as CVE-2026-34615, has been identified in multiple versions of Adobe Connect. According to the National Vulnerability Database (NVD), this flaw affects Adobe Connect versions 2025.3, 12.10, and earlier. This isn’t just a run-of-the-mill bug; it’s a serious arbitrary code execution (RCE) vulnerability that could allow an attacker to execute code in the context of the current user. What’s particularly concerning is that, as the NVD points out, exploitation of this issue doesn’t require any user interaction, making it a prime candidate for wormable attacks or silent compromise.

The CVSS score for CVE-2026-34615 clocks in at a whopping 9.3, firmly placing it in the ‘critical’ severity category. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N highlights a few key aspects: it’s network-exploitable (AV:N), has low attack complexity (AC:L), requires no privileges (PR:N), and critically, its scope is changed (S:C), meaning a successful exploit can impact resources beyond the immediate vulnerability component. While user interaction is listed as ‘Required’ (UI:R), the NVD’s specific note about no user interaction required for exploitation suggests a nuanced or specific attack vector that bypasses typical UI requirements, which is a significant red flag. This vulnerability, categorized under CWE-502 (Deserialization of Untrusted Data), is a classic and often devastating flaw, frequently leading to RCE.