Critical 0-Day Vulnerability in Adobe Acrobat and Reader Actively Exploited

Adobe has released patches to fix a critical zero-day vulnerability in Acrobat and Reader. This issue, identified as CVE-2023-26369, is already being exploited in attacks and affects both Windows and macOS users.

Details of the Vulnerability

According to Adobe, the vulnerability has been used in “limited attacks” targeting users of Adobe Acrobat and Reader. While no further details about these attacks have been disclosed, the flaw is classified as an out-of-bounds write issue that allows attackers to remotely execute arbitrary code.

The bug does not require any additional privileges to be exploited. However, based on the CVSS 3.1 classification, the vulnerability can only be exploited by local attackers and requires user interaction.

Adobe has assigned the highest priority to CVE-2023-26369, strongly recommending that administrators install the updates as soon as possible—ideally within 72 hours.

Other Vulnerabilities Addressed

In addition to CVE-2023-26369, Adobe has fixed several other issues that could allow attackers to execute arbitrary code on systems running unpatched versions of Adobe Connect and Adobe Experience Manager.

• Vulnerabilities in Connect (CVE-2023-29305 and CVE-2023-29306)
• Vulnerabilities in Experience Manager (CVE-2023-38214 and CVE-2023-38215)

These flaws could be used to launch reflected XSS attacks, potentially giving attackers access to cookies, session tokens, and other sensitive information stored in targeted browsers.

Recommendation

Adobe urges all users and administrators to update their software immediately to protect against these actively exploited vulnerabilities.