October 11, 2023 at 08:54AM
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw in Adobe Acrobat Reader to its Known Exploited Vulnerabilities catalog. The vulnerability, tracked as CVE-2023-21608, is a use-after-free bug that allows for remote code execution. Adobe released a patch for the flaw in January 2023, but details about the exploitation and threat actors are unknown. Federal Civilian Executive Branch agencies must apply the patches by October 31, 2023.
Key Takeaways from Meeting Notes:
1. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a high-severity vulnerability in Adobe Acrobat Reader, tracked as CVE-2023-21608. This vulnerability allows for remote code execution with the privileges of the current user.
2. The vulnerability is a use-after-free bug and has been actively exploited by threat actors.
3. Adobe released a patch for this vulnerability in January 2023. Versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020 prior to specific versions are affected.
4. Security researchers Ashfaq Ansari and Krishnakant Patil discovered and reported the vulnerability.
5. The nature of the exploitation and details about the threat actors utilizing CVE-2023-21608 are currently unknown.
6. There is a proof-of-concept (PoC) exploit available for CVE-2023-21608 since late January 2023.
7. This vulnerability follows a previous in-the-wild exploitation of another Adobe Acrobat and Reader vulnerability, CVE-2023-26369.
8. Federal Civilian Executive Branch (FCEB) agencies must apply the provided patches by October 31, 2023, to protect their networks from potential threats.
9. Follow the company on Twitter and LinkedIn for more exclusive content.