// 6 ZERO-DAY · 6 CVE · 6 EXPLOIT IN THE LAST 24H
ZDI-26-419 reveals a vulnerability in AdobeUpdateService that allows local privilege escalation from low-privilege user to SYSTEM on Windows. Adobe has released patch APSB26-77 with version 6.10.0.252.3.

Adobe released security bulletin APSB26-77 on July 15, 2026 to address a vulnerability in the AdobeUpdateService component of Creative Cloud Desktop Application. The flaw, tracked as ZDI-26-419 by Trend Micro Zero Day Initiative researcher Brandon Evans, allows a low-privileged user to escalate to SYSTEM by exploiting a dynamic library loading defect. The bug was reported on March 13, 2026, leaving 122 days of coordinated disclosure between report and public release.

Key Takeaways
  • Vulnerability ZDI-26-419 affects Adobe Creative Cloud Desktop Application up to version 6.9.1.1 on Windows; the patched version is 6.10.0.252.3
  • The flaw is classified as CWE-427 (Uncontrolled Search Path Element) and leads to arbitrary code execution in the SYSTEM context
  • The vector is local (AV:L), requires low privileges (PR:L) and no user interaction (UI:N); the CVSS vector includes S:C (scope changed)
  • Adobe confirms CVE-2026-48272 with a CVSS 3.1 score of 7.8 (Critical) and states it is not aware of exploits in the wild

The Mechanics of the Flaw: When Search Order Becomes a Threat

The issue lies in how AdobeUpdateService loads dynamic libraries. According to the ZDI advisory, "the product loads a library from an unsecured location" — a directory that an unprivileged user can control or influence. In Windows, the DLL search order dictates that the operating system looks for the library in specific paths before resolving to the system path. If the service, running with SYSTEM privileges, points to a directory writable by the user, an attacker can place a malicious DLL with the same expected name.

On the next load, the service executes the malicious DLL code within its own security context. The result is a local privilege escalation: from an account with limited code execution capabilities, the attacker gains the highest operating system rights. The ZDI advisory is explicit: "An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM."

The CVSS 7.8 and the Meaning of Scope Changed

According to Adobe's vendor advisory, CVE-2026-48272 carries a CVSS 3.1 score of 7.8, placing it in the Critical band. The full vector is AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. Breaking down the components: local access (AV:L), high attack complexity (AC:H), low privileges required (PR:L), no user interaction needed (UI:N). The most impactful element is S:C, scope changed, indicating that compromise of the vulnerable component can extend beyond its security boundaries.

In enterprise scenarios with virtualized workstations or terminal servers, this vector takes on specific relevance. The compromised service operates in a security context isolated from the user who triggered the attack; scope changed suggests the compromise can cross that boundary. The dossier does not indicate that Adobe has documented exploits in the wild: "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."

The Exposure Window: 122 Days Between Report and Disclosure

The ZDI timeline shows a report date of March 13, 2026 and coordinated disclosure on July 15, 2026. This roughly four-month span reflects Zero Day Initiative's standard policy of coordinating with the vendor before publication. The period represents a concrete exposure window for organizations: vulnerable versions remained deployed on Windows endpoints without a fix, even though the defect was known to both the vendor and the researcher.

The version that fixes the issue, per the Adobe advisory, is Creative Cloud Desktop Application 6.10.0.252.3. Release notes indicate versions 6.9.1.1 and earlier are affected. The brief does not specify whether the update is delivered automatically or requires manual intervention; the Adobe advisory points to the Download Center for installation.

Immediate Actions

  • Verify the installed version of Creative Cloud Desktop Application on all Windows endpoints and update to 6.10.0.252.3 via the Adobe Download Center
  • In multi-user deployments and on terminal servers, prioritize verification given the PR:L condition that makes the attack practical from any restricted account
  • Monitor DLL load logs from AdobeUpdateService in environments where the patch cannot be applied immediately
  • Evaluate reducing the service's privileges where technically feasible without breaking update functionality
"Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates." — Adobe Security Bulletin APSB26-77

The Paradox of High-Privilege Update Services

Vulnerability ZDI-26-419 illustrates a recurring pattern in client software security: the mechanism designed to keep systems updated and protected becomes a compromise vector itself. AdobeUpdateService requires elevated privileges to install system-level patches; those same elevated privileges amplify the impact of a flaw in its dependency loading. The architectural choice to load libraries from paths potentially controllable by the user breaks the principle of least privilege in external resource management.

The case joins a series of similar advisories across different vendors' update services, where the combination of SYSTEM execution and unverified resource loading has produced comparable vulnerabilities. The difference here lies in the product's reach: Creative Cloud is installed on millions of enterprise and individual workstations, many in environments where local access is not considered a sufficient threat to warrant stringent controls.

Frequently Asked Questions

Is the vulnerability remotely exploitable?
No. The vector is local (AV:L): the attacker must already have the ability to execute code with low privileges on the target system.

Does Creative Cloud's automatic update protect against the attack?
The dossier does not specify whether the update to 6.10.0.252.3 occurs automatically. The Adobe advisory indicates the Download Center as the patch distribution channel.

Why is the S:C vector in CVSS relevant for enterprises?
Scope changed indicates that compromise can extend beyond the vulnerable component. In virtualized environments or those with user isolation, this amplifies risk compared to a privilege escalation contained within the user profile alone.

Sources

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. zerodayinitiative.com
  2. helpx.adobe.com