The U.S. Cybersecurity and Infrastructure Security Agency (CISA) five new flaws to its , including a high-severity flaw () (CVSS score: 7.8) in Adobe Acrobat Reader.
The flaw is a use-after-free issue, an attacker can trigger the flaw to achieve remote code execution (RCE) with the privileges of the current user.
“Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.” reads the . “Exploitation of this issue requires user interaction in that a victim must open a malicious file.”
Adobe the vulnerability in January 2023 and PoC exploit code for this issue is available online.
The remaining issues addressed by CISA are:
According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this flaw by October 31, 2023.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, CISA)