PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-4661 Adobe CVE debrief

CVE-2023-4661 is a critical SQL injection flaw associated with Adobe Connect versions before 9.0. The NVD record rates it 9.8/CRITICAL and maps it to a network-exploitable attack path with no authentication or user interaction, which can put confidentiality, integrity, and availability at risk.

Vendor
Adobe
Product
Connect
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2023-09-15
Original CVE updated
2026-05-21
Advisory published
2023-09-15
Advisory updated
2026-05-21

Who should care

Organizations running Adobe Connect, especially any deployment at version 8.x or earlier, should treat this as a high-priority remediation item. Security, application, and platform teams responsible for internet-facing or broadly reachable Connect instances should review it first.

Technical summary

The available record identifies the weakness as CWE-89 (SQL Injection). NVD’s CPE criteria mark adobe:connect versions before 9.0 as vulnerable, and the CVSS vector indicates AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. A third-party advisory reference from USOM is listed alongside the NVD record. The source text also contains a naming inconsistency, referring to Saphira Connect in the description while the CPE criteria point to Adobe Connect.

Defensive priority

Immediate. The combination of a 9.8 CVSS score, network reachability, no required privileges, and potential full CIA impact makes this a top-tier remediation priority.

Recommended defensive actions

  • Inventory all Adobe Connect deployments and determine whether any instance is below version 9.0.
  • Prioritize upgrade or replacement of affected instances to a non-vulnerable release at 9.0 or later, following vendor guidance and the referenced advisory.
  • Restrict network exposure to Adobe Connect where possible until remediation is complete, especially for externally reachable instances.
  • Review application and database logs for unusual query patterns or other indicators of SQL injection attempts around the exposure period.
  • Validate any compensating controls, such as upstream filtering or WAF rules, but do not treat them as a substitute for patching or upgrading.

Evidence notes

Source corpus: CVE published 2023-09-15T09:15:07.907Z and modified 2026-05-21T14:16:42.950Z. NVD metadata lists CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, severity Critical, and CWE-89. The NVD CPE criteria specify cpe:2.3:a:adobe:connect:*:*:*:*:*:*:*:* with versionEndExcluding 9.0. References include a USOM advisory and related security notice links. The description text mentions Saphira Connect, but the structured CPE data identifies Adobe Connect as the affected product.

Official resources

Publicly disclosed on 2023-09-15. The NVD record was modified on 2026-05-21; use the CVE published date for issue timing.