Skip to main content
Participant
July 2, 2026
Question

security issue

  • July 2, 2026
  • 2 replies
  • 60 views

Dear Adobe Security Team,

We are reaching out regarding multiple alerts observed in our environment tied to the execution of node.exe within the Adobe Creative Cloud Experience directory. Also, the hash is successfully blocked by Trend Micro based on hash reputation.

Key details from our investigation:

File path: C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe

File hash: d14ba95cdce1ef7dc9ad3ac74949ca5db38b27378ee30f30a23cf26f9e875a11

File signature: Signed by Node.js Foundation, consistent with Adobe’s legitimate bundling of Node.js Parent process: ccxprocess.exe (Adobe Creative Cloud component)

Child processes: cmd.exe creating a scheduled task to launch CCXProcess daily, and cmd.exe querying registry keys under HKLM\SOFTWARE\Policies\Adobe\CCXProcess

Given the initial association of this hash with the Photo ZIP campaign, we would like Adobe’s confirmation on whether this behavior is expected and benign, or if further investigation is warranted.

Please advise on next steps and whether any remediation or updates are recommended.

Thank you,

Shilnas Yoonus

    2 replies

    BaniVerma
    Community Manager
    Community Manager
    July 6, 2026

    Hi ​@Shilnas Yoonus,

     

    Thank you for reaching out, and we appreciate the detail you've shared from your investigation. We understand that alerts of this nature warrant careful review, especially when they involve executables running from a trusted application directory.

     

    The behavior you've described is consistent with the normal operation of the Creative Cloud Content Manager, which is a legitimate Adobe background process that ships with the Creative Cloud desktop app. A few points from our official documentation that map to your observations:

    • The Creative Cloud Content Manager uses the node.js framework as part of how it runs, which is why you see node.exe associated with this component.
    • On Windows, the Content Manager uses a scheduled task named "Launch Adobe CCXProcess" to trigger CCXProcess.exe on a defined schedule.
    • This process operates at user-level privileges, as documented.

    Adobe explicitly recommends adding the "Launch Adobe CCXProcess" task to your security software's allow list so it is not mistakenly blocked or restricted. Full details, including the macOS equivalent (com.adobe.ccxprocess.plist), are documented here: https://helpx.adobe.com/x-productkb/global/ccxprocess-os-scheduler.html

    For a broader overview of Adobe's background processes and the role each one plays, please refer to: https://helpx.adobe.com/x-productkb/global/adobe-background-processes.html

     

    Regarding the specific hash and the campaign association you mentioned: we are not able to certify individual file hashes through the community forum, and executable names can be reused by unrelated files, so we would recommend verifying on the affected endpoints that the file is the genuine, Adobe-signed copy running from the expected Creative Cloud install directory. For a formal review of the specific hash, or if you observe this activity from a path outside your Creative Cloud install directory, please open a case through Admin Console > Support so our team can look into the details with you directly.

     

    Please let us know how it goes, we're happy to assist further.

     

    Thanks,

    ^BS

    kglad
    Community Expert
    Community Expert
    July 3, 2026

    you can replace node.exe with the latest version.