This briefing covers critical security developments from June 9-10, 2026. The period saw significant vulnerability disclosures affecting widely deployed enterprise software, including three CRITICAL-severity issues in Adobe Campaign Classic and ColdFusion that enable remote code execution without user interaction. A major concern is CVE-2026-48303 and CVE-2026-47938 in Adobe Campaign Classic (CVSS 10.0), allowing arbitrary code execution and privilege escalation with scope changes, indicating potential container or sandbox escapes.
Adobe products dominated the vulnerability landscape with 30 disclosed CVEs, primarily affecting Acrobat Reader (multiple use-after-free vulnerabilities), ColdFusion (XXE, path traversal, input validation flaws), and Campaign Classic. MongoDB Server disclosed three HIGH-severity pre-authentication denial-of-service vulnerabilities exploitable by unauthenticated attackers. The abuse.ch threat feed captured 51 malware distribution URLs during this period, predominantly distributing Mozi botnet variants, Mirai botnet samples, and ClearFake malware, with infrastructure hosted on compromised IoT devices and legitimate domains.
Organizations should prioritize patching the three CRITICAL Adobe vulnerabilities immediately, particularly in internet-facing Campaign Classic deployments. MongoDB administrators should apply patches for the pre-auth DoS vulnerabilities as these can be exploited without credentials. The continued Mozi and Mirai botnet activity indicates persistent IoT device compromise campaigns targeting MIPS and ARM architectures, requiring network segmentation and IoT device hardening.
Three CRITICAL-severity vulnerabilities and multiple HIGH-severity issues affecting Adobe and ColdFusion products pose severe risk to enterprise environments.
Incorrect Authorization vulnerability in Adobe Campaign Classic versions 7.4.3 build 9394 and earlier enables arbitrary code execution without user interaction. Scope is changed, indicating potential container escape or privilege boundary violation.
Server-Side Request Forgery in Adobe Campaign Classic versions 7.4.3 build 9394 and earlier results in privilege escalation without user interaction. Changed scope indicates impact beyond the vulnerable component.
Improper Input Validation in ColdFusion versions 2023.19 and 2025.8 allows arbitrary code execution without user interaction. Changed scope and CVSS 9.6 indicates severe impact across security boundaries.
Path traversal vulnerability in ColdFusion versions 2023.19 and 2025.8 enables unauthorized file system access and security control bypass.
Input validation weakness in ColdFusion versions 2023.19 and 2025.8 allows code execution without user interaction with changed scope.
Three HIGH-severity vulnerabilities in MongoDB Server enable unauthenticated attackers to crash mongod processes remotely.
The $_internalApplyOplogUpdate pipeline stage processes malformed binary diffs leading to out-of-bounds memory access or server crash. Exploitable by any authenticated user with aggregate command access.
When OIDC authentication is enabled, unauthenticated clients can crash the server by manipulating the 'mechanism' parameter in authenticate commands.
BSON validator's handling of nested binary structures permits uncontrolled mutual recursion, enabling unauthenticated remote DoS via specially crafted messages.
Multiple use-after-free and buffer overflow vulnerabilities in Acrobat Reader versions 24.001.30365 and 26.001.21651 enable code execution via malicious PDF files.
CVE-2026-47955, CVE-2026-47921, CVE-2026-47920, CVE-2026-47919, CVE-2026-47918, CVE-2026-47917, CVE-2026-47916, CVE-2026-47915, CVE-2026-47914 - Use-after-free conditions enabling arbitrary code execution when opening malicious PDFs. All rated CVSS 7.8.
Stack buffer overflow in Acrobat Reader versions 24.001.30365 and 26.001.21651 allows code execution via malicious file requiring user interaction.
Heap-based buffer overflow enabling arbitrary code execution when victims open specially crafted PDF documents.
Uncontrolled search path element vulnerability allows code execution through DLL hijacking or similar techniques when opening malicious files.
Other notable vulnerabilities affecting various software products including SQLFluff, CAI Content Credentials, and Adobe Format Plugins.
XML External Entity vulnerability in ColdFusion 2023.19 and 2025.8 enables arbitrary file system read and potential data exfiltration.
SQLFluff versions prior to 4.2.0 and 4.1.0 vulnerable to resource exhaustion via malicious SQL queries with excessive length or nesting. Impacts deployments accepting untrusted user queries.
Multiple vulnerabilities in CAI Content Credentials (c2pa-web@0.7.1, c2pa-v0.80.1) including resource exhaustion, improper input validation, and integer overflow leading to application denial-of-service.
Heap-based buffer overflow vulnerabilities in Format Plugins versions 1.1.2 and earlier enable code execution when processing malicious files.
Extensive IoT botnet malware distribution observed targeting MIPS and ARM architectures via compromised devices.
Multiple Mozi botnet samples distributed from compromised Chinese IP addresses (113.224.180.191, 182.122.225.50, 42.234.118.12, and others) targeting 32-bit MIPS architecture IoT devices. Indicators include shell scripts and ELF binaries for remote exploitation.
Coordinated Mirai botnet distribution serving multiple architecture variants (x86_64, ARM5, ARM6, MIPS, MIPSEL, PowerPC, SPC, SH4, M68K) from infrastructure at 176.65.139.126 and 217.60.195.70. Uses wget user-agent for automated propagation across diverse IoT platforms.
Malware samples combining Mozi and Mirai characteristics distributed from IPs 111.126.223.40:58633 and 218.16.164.117:53377, specifically targeting 32-bit ARM ELF devices.
ClearFake social engineering campaign and other malware distribution observed via compromised websites and legitimate-appearing domains.
ClearFake malware distributed through gambling and betting domains (parspoker.casino, sabaad724.bet, penalty.casino, rika90.bet, riverpoker1.com, romabet90.bet) using UUID-based URLs for victim tracking and payload delivery.
Multiple malicious MSI installer packages distributed through gadomamada.com, magina.online, estirarsobrelivro.com, and grandvegasbet.com.br using PNG file extensions to evade detection.
Malicious ZIP archives distributed via voltrix.tv and coraline-cheats.pw masquerading as gaming enhancement tools (Voltrix.zip, coraline_4.7.zip).
Executable distributed via chinabowl.club using Cloudflare-themed social engineering with token-based authentication and referrer tracking.