The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently flagged a significant vulnerability in Adobe Acrobat Reader, marked as CVE-2023-21608 with a CVSS score of 7.8.

This flaw, categorized as a use-after-free bug, poses a substantial risk by potentially allowing remote code execution (RCE) with the user’s privileges. The flaw was discovered by HackSys security researchers Ashfaq Ansari and Krishnakant Patil. Adobe swiftly responded to the threat, releasing a patch in January 2023.

Affected Versions

The impact extends to several versions of the software, including Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020.

Users are urged to update to the fixed versions (Acrobat DC 22.003.20310, Acrobat Reader DC 22.003.20310, Acrobat 2020 20.005.30436, and Acrobat Reader 2020 20.005.30436) to mitigate potential risks.

Exploitation and Unknown Actors

Details regarding the nature of exploitation and the identity of threat actors exploiting CVE-2023-21608 remain undisclosed. The absence of information heightens the urgency for organizations to act proactively in securing their systems.

Previous Incidents

This vulnerability marks the second instance of in-the-wild exploitation for Adobe Acrobat and Reader, following CVE-2023-26369. The prior case involved an out-of-bounds write issue, emphasizing the persistent challenges in safeguarding these widely used applications.

Mitigation for Federal Agencies

In response to this security concern, Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply the vendor-provided patches by October 31, 2023.

This deadline underscores the critical importance of timely action to mitigate potential threats. Organizations must remain vigilant and prioritize timely updates to ensure the resilience of their systems against emerging vulnerabilities.