The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity flaw in Adobe Acrobat Reader to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Tracked as CVE-2023-21608 (CVSS score: 7.8), the vulnerability has been described as a use-after-free bug that can be exploited to achieve remote code execution (RCE) with the privileges of the current user.
A patch for the flaw was released by Adobe in January 2023. HackSys security researchers Ashfaq Ansari and Krishnakant Patil were credited with discovering and reporting the flaw.
![Cybersecurity](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis2XmLrR-y41nkQqWoYhyphenhyphen0oStJHll5n4WyPYeuAHko74uWnsPBfw-fZkx1qAP27lHUv4R2XNe4zqzmmBbCj1VGQB6PY1FngiJh_z6GbRMqPVOy4XAidyV1kqdmCQ7UhlG-JDdqA4sashBi4IATgbXdO-AnP7tt-3yW6ai0CD-DxCDOsrLEw_lFfpSXZZza/s300-e300/intel-m.png)
The following versions of the software are impacted -
- Acrobat DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310)
- Acrobat Reader DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310)
- Acrobat 2020 - 20.005.30418 and earlier versions (fixed in 20.005.30436)
- Acrobat Reader 2020 - 20.005.30418 and earlier versions (fixed in 20.005.30436)
Details surrounding the nature of the exploitation and the threat actors that may be abusing CVE-2023-21608 are currently unknown. A proof-of-concept (PoC) exploit for the flaw was made available in late January 2023.
CVE-2023-21608 is also the second Adobe Acrobat and Reader vulnerability that has seen in-the-wild exploitation this year after CVE-2023-26369, an out-of-bounds write issue that could result in code execution by opening a specially crafted PDF document.
Federal Civilian Executive Branch (FCEB) agencies are required to apply the vendor-provided patches by October 31, 2023, to secure their networks against potential threats.