The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday extra a significant-severity flaw in Adobe Acrobat Reader to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
Tracked as CVE-2023-21608 (CVSS rating: 7.8), the vulnerability has been explained as a use-immediately after-free of charge bug that can be exploited to reach distant code execution (RCE) with the privileges of the current person.
A patch for the flaw was launched by Adobe in January 2023. HackSys security scientists Ashfaq Ansari and Krishnakant Patil were being credited with getting and reporting the flaw.
The following versions of the software program are impacted –
- Acrobat DC – 22.003.20282 (Earn), 22.003.20281 (Mac) and previously versions (fixed in 22.003.20310)
- Acrobat Reader DC – 22.003.20282 (Get), 22.003.20281 (Mac) and earlier variations (fastened in 22.003.20310)
- Acrobat 2020 – 20.005.30418 and earlier versions (preset in 20.005.30436)
- Acrobat Reader 2020 – 20.005.30418 and before versions (fastened in 20.005.30436)
Details encompassing the nature of the exploitation and the menace actors that may possibly be abusing CVE-2023-21608 are at present unidentified. A evidence-of-idea (PoC) exploit for the flaw was manufactured readily available in late January 2023.
CVE-2023-21608 is also the next Adobe Acrobat and Reader vulnerability that has witnessed in-the-wild exploitation immediately after CVE-2023-26369, an out-of-bounds publish issue that could consequence in code execution by opening a specially crafted PDF document.
Federal Civilian Executive Branch (FCEB) agencies are expected to utilize the vendor-provided patches by Oct 31, 2023, to safe their networks from prospective threats.
Discovered this post fascinating? Follow us on Twitter and LinkedIn to read through far more exclusive articles we post.
Some components of this post are sourced from: