The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a high-severity flaw in Adobe Acrobat Reader to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
Tracked as CVE-2023-21608 (CVSS rating: 7.8), the vulnerability has been described as a use-after-free bug that may be exploited to realize distant code execution (RCE) with the privileges of the present consumer.
A patch for the flaw was launched by Adobe in January 2023. HackSys safety researchers Ashfaq Ansari and Krishnakant Patil had been credited with discovering and reporting the flaw.
The following variations of the software program are impacted –
- Acrobat DC – 22.003.20282 (Win), 22.003.20281 (Mac) and earlier variations (mounted in 22.003.20310)
- Acrobat Reader DC – 22.003.20282 (Win), 22.003.20281 (Mac) and earlier variations (mounted in 22.003.20310)
- Acrobat 2020 – 20.005.30418 and earlier variations (mounted in 20.005.30436)
- Acrobat Reader 2020 – 20.005.30418 and earlier variations (mounted in 20.005.30436)
Particulars surrounding the character of the exploitation and the menace actors which may be abusing CVE-2023-21608 are at present unknown. A proof-of-concept (PoC) exploit for the flaw was made obtainable in late January 2023.
CVE-2023-21608 can be the second Adobe Acrobat and Reader vulnerability that has seen in-the-wild exploitation after CVE-2023-26369, an out-of-bounds write problem that would lead to code execution by opening a specifically crafted PDF doc.
Federal Civilian Govt Department (FCEB) companies are required to use the vendor-provided patches by October 31, 2023, to safe their networks towards potential threats.
