Adobe warns of critical Acrobat and Reader zero-day exploited in attacks

Adobe has released security updates to patch a zero-day vulnerability in Acrobat and Reader tagged as exploited in attacks.

Even though additional information on the attacks is yet to be disclosed, the zero-day is known to affect both Windows and macOS systems.

"Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader," the company said in a security advisory published today.

The critical security flaw is tracked as CVE-2023-26369 and can let attackers gain code execution after successfully exploiting an out-of-bounds write weakness.

While threat actors can exploit it in low-complexity attacks without requiring privileges, the flaw can only be exploited by local attackers, and it also requires user interaction, according to its CVSS v3.1 score. 

CVE-2023-26369 was classified by Addobe with a maximum priority rating, with the company strongly advising administrators to install the update as soon as possible, ideally within a 72-hour window.

The complete list of affected products and versions is in the table below.

Product	Track	Affected Versions
Acrobat DC	Continuous	23.003.20284 and earlier
Acrobat Reader DC	Continuous	23.003.20284 and earlier
Acrobat 2020	Classic 2020	20.005.30516 (Mac) and earlier 20.005.30514 (Win) and earlier
Acrobat Reader 2020	Classic 2020	20.005.30516 (Mac) and earlier 20.005.30514 (Win) and earlier

Today, Adobe addressed more security flaws that can let attackers gain arbitrary code execution on systems running unpatched Adobe Connect and Adobe Experience Manager software.

The Connect (CVE-2023-29305 and CVE-2023-29306) and Experience Manager (CVE-2023-38214 and CVE-2023-38215) bugs fixed today can all be used to launch reflected cross-site scripting (XSS) attacks.

They can be exploited to access cookies, session tokens, or other sensitive info stored by the targets' web browsers.

In July, Adobe pushed an emergency ColdFusion security update to address a zero-day (CVE-2023-38205) exploited in the wild as part of limited attacks. 

Days later, CISA ordered federal agencies to secure Adobe ColdFusion servers on their networks against the actively exploited bug by August 10th.