The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw in Adobe Acrobat Reader to its Known Exploited Vulnerabilities catalog. The flaw, tracked as CVE-2023-21608, is a use-after-free bug that allows remote code execution with the current user’s privileges. Adobe released a patch for the vulnerability in January 2023. The impact of the flaw includes various versions of Acrobat DC and Acrobat Reader DC, as well as Acrobat 2020 and Acrobat Reader 2020. Details about the exploitation and threat actors are currently unknown, but a proof-of-concept exploit was made available. This is the second in-the-wild exploitation of an Adobe Acrobat and Reader vulnerability this year. Federal Civilian Executive Branch agencies are required to apply the provided patches by October 31, 2023, to ensure network security.
| Signal | Change | 10y horizon | Driving force |
|---|---|---|---|
| High-severity flaw in Adobe Acrobat | Technological | Improved security measures in Adobe software | Protection against cyber threats |
| Reader added to KEV catalog | |||
| Use-after-free bug exploited | |||
| Patch released by Adobe | |||
| Impact on specific software versions | |||
| Details of exploitation unknown | |||
| PoC exploit made available | |||
| Second Adobe vulnerability exploited | |||
| Vendor-provided patches required | |||
| by FCEB agencies | |||
| to secure networks | |||
| against potential threats |