a
News
Microsoft Power Apps, Windows IKE and Adobe Connect Critical Vulnerabilities
Overview
CVE: CVE-2026-33824, CVE-2026-27303, CVE-2026-27243, CVE-2026-27245, CVE-2026-27246, CVE-2026-34615, CVE-2026-26149
Severity: Critical
Date: 15 April 2026
Multiple critical vulnerabilities have been disclosed affecting Microsoft Power Apps, Adobe Connect, and Windows 10. These issues include remote code execution, deserialisation flaws, and cross-site scripting vulnerabilities, which may allow attackers to execute arbitrary code, bypass security controls, or compromise user sessions.
Affected Versions
Microsoft Power Apps: Review Microsoft's Security Update Guide for affected and fixed versions.
Windows Internet Key Exchange (IKE) Service Extensions: Apply the April 2026 Microsoft security updates to affected Windows systems, including environments with IKEv2 enabled.
Adobe Connect: 12.10 and earlier.
Adobe Connect Desktop Application: 2025.3 and earlier.
Fixed Adobe versions: Adobe Connect 12.11 and Adobe Connect Desktop Application 2025.9.
Vulnerability Breakdown
Microsoft – Power Apps
CVE-2026-26149 - Security Feature Bypass
Severity: Critical
CVSS: 9.0
Description: Improper neutralisation of escape, meta, or control sequences in Microsoft Power Apps allows an authorised attacker to bypass a security feature over a network.
Impact: Security control bypass within affected Power Apps environments.
Conditions: The attacker must already be authorised within the target environment.
Notes: Review privileged access, maker permissions and exposed workflows as part of remediation.
Adobe – Connect
CVE-2026-27303 - Deserialisation of Untrusted Data
Severity: Critical
CVSS: 9.6
Description: Adobe Connect contains a deserialisation flaw that could allow arbitrary code execution.
Impact: Arbitrary code execution in the current user context.
Conditions: Exploitation requires access to a vulnerable Adobe Connect deployment processing attacker-controlled input.
Notes: Adobe states it is not aware of in-the-wild exploitation for the issues addressed in APSB26-37.
CVE-2026-27243 - Adobe Connect reflected XSS
Severity: Critical
CVSS: 9.3
Description: Adobe Connect is affected by a reflected cross-site scripting vulnerability.
Impact: Malicious JavaScript may execute in the victim's browser and could lead to arbitrary code execution outcomes described by Adobe.
Conditions: The attacker must convince a victim to visit a crafted URL referencing a vulnerable page.
Notes: Adobe lists scope as changed.
CVE-2026-27245 - Adobe Connect reflected XSS
Severity: Critical
CVSS: 9.3
Description: A second reflected cross-site scripting issue affects vulnerable Adobe Connect versions.
Impact: Malicious JavaScript execution in the victim's browser with potential follow-on compromise.
Conditions: User interaction is required and the victim must load a crafted URL.
Notes: Adobe lists scope as changed.
CVE-2026-27246 - Adobe Connect DOM-based XSS
Severity: Critical
CVSS: 9.3
Description: Adobe Connect contains a DOM-based cross-site scripting vulnerability.
Impact: Malicious JavaScript execution in the victim's browser.
Conditions: Exploitation requires user interaction and a crafted webpage.
Notes: Adobe lists scope as changed.
CVE-2026-34615 - Deserialisation of Untrusted Data
Severity: Critical
CVSS: 9.3
Description: Adobe Connect is affected by an additional deserialisation of untrusted data vulnerability that can lead to arbitrary code execution.
Impact: Arbitrary code execution in the affected user context.
Conditions: Exploitation requires exposure to crafted input against a vulnerable Adobe Connect deployment.
Notes: Prioritise remediation alongside CVE-2026-27303 because both issues can lead to code execution.
Microsoft – Windows 10
CVE-2026-33824 - Remote Code Execution (IKE Extension)
Severity: Critical
CVSS: 9.8
Description: A double free vulnerability in Windows Internet Key Exchange (IKE) Service Extensions can allow remote code execution over the network.
Impact: Unauthenticated remote code execution on affected Windows hosts.
Conditions: The target must have IKEv2 enabled and be reachable by crafted network traffic.
Notes: If IKE is not required externally, blocking inbound UDP ports 500 and 4500 can reduce exposure while patching is underway.
Mitigation
Apply the latest Microsoft April 2026 security updates for Power Apps and affected Windows systems.
Update Adobe Connect to version 12.11 and Adobe Connect Desktop Application to version 2025.9.
Prioritise internet-exposed Adobe Connect services and Windows hosts with IKEv2 enabled.
Restrict unnecessary administrative and maker access in Microsoft Power Apps.
If IKE is not required externally, block inbound UDP ports 500 and 4500 at the network perimeter.
Remind users not to open unexpected Adobe Connect links until patching is complete.
Summary for IT Teams
Products: Microsoft Power Apps, Windows Internet Key Exchange (IKE) Service Extensions, Adobe Connect
Threat Level: Critical, up to CVSS 9.8
Action Required:
Patch all affected Microsoft and Adobe systems immediately
Prioritise Adobe Connect instances due to RCE and deserialisation risks
Review exposure of Windows systems, particularly network-facing services
Monitor for signs of exploitation, including unusual script execution or session activity
Reference
Need Help?
If your organisation needs help assessing exposure, validating patch coverage or accelerating remediation, contact Secure ISS on 1300 769 460. Our SOC team is ready to assist.
