Jump to content
  • Adobe warns of critical Acrobat and Reader zero-day exploited in attacks


    Karlston

    • 750 views
    • 2 minutes
     Share


    • 750 views
    • 2 minutes

    Adobe has released security updates to patch a zero-day vulnerability in Acrobat and Reader tagged as exploited in attacks.

     

    Even though additional information on the attacks is yet to be disclosed, the zero-day is known to affect both Windows and macOS systems.

     

    "Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader," the company said in a security advisory published today.

     

    The critical security flaw is tracked as CVE-2023-26369 and can let attackers gain code execution after successfully exploiting an out-of-bounds write weakness.

     

    While threat actors can exploit it in low-complexity attacks without requiring privileges, the flaw can only be exploited by local attackers, and it also requires user interaction, according to its CVSS v3.1 score

     

    CVE-2023-26369 was classified by Addobe with a maximum priority rating, with the company strongly advising administrators to install the update as soon as possible, ideally within a 72-hour window.

     

    The complete list of affected products and versions is in the table below.

     

    Product Track Affected Versions
    Acrobat DC  Continuous  23.003.20284 and earlier
    Acrobat Reader DC Continuous  23.003.20284 and earlier
    Acrobat 2020 Classic 2020            20.005.30516 (Mac) and earlier
    20.005.30514 (Win) and earlier
    Acrobat Reader 2020 Classic 2020            20.005.30516 (Mac) and earlier
    20.005.30514 (Win) and earlier

     

    Today, Adobe addressed more security flaws that can let attackers gain arbitrary code execution on systems running unpatched Adobe Connect and Adobe Experience Manager software.

     

    The Connect (CVE-2023-29305 and CVE-2023-29306) and Experience Manager (CVE-2023-38214 and CVE-2023-38215) bugs fixed today can all be used to launch reflected cross-site scripting (XSS) attacks.

     

    They can be exploited to access cookies, session tokens, or other sensitive info stored by the targets' web browsers.

     

    In July, Adobe pushed an emergency ColdFusion security update to address a zero-day (CVE-2023-38205) exploited in the wild as part of limited attacks. 

     

    Days later, CISA ordered federal agencies to secure Adobe ColdFusion servers on their networks against the actively exploited bug by August 10th.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...