(CTN News) – There have been security updates released by Adobe as a result of a zero-day vulnerability in Acrobat and Reader being exploited in attacks.
While additional information on the attacks has yet to be provided, it is known that the zero-day attack targets both Windows and macOS-based computers.
In a security advisory published today, Adobe said that it is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader products.
As CVE-2023-26369 points out, this critical security flaw can be exploited by an attacker who successfully exploits an out-of-bounds write vulnerability in order to gain code execution as a result.
While threat actors can exploit it in low-complexity attacks without requiring privileges, the vulnerability can only be exploited by local attackers and requires user interaction in order to exploit it, according to the CVSS v3.1 score for this vulnerability.
The vulnerability CVE-2023-26369 has been classified with a maximum priority by Addobe, with the company strongly advising administrators to install the patch as quickly as possible, ideally within a 72-hour period.
You can find a complete list of the affected products and versions in the table below.
It is important to note that Adobe has addressed more security flaws that could enable attackers to execute arbitrary code on systems running unpatched versions of Adobe Connect and Adobe Experience Manager software.
A number of the bugs that have been fixed today in Connect (CVE-2023-29305 and CVE-2023-29306) as well as Experience Manager (CVE-2023-38214 and CVE-2023-38215) can all be used to launch reflected cross-site scripting (XSS) attacks.
In addition, they can be exploited in order to extract cookies, session tokens, or other sensitive information that is stored by the targets’ web browsers.
Adobe pushed a ColdFusion security update in July to address a zero-day problem (CVE-2023-38205) that was exploited in the wild as part of a limited attack.
A few days after that, CISA issued an order directing federal agencies to secure Adobe ColdFusion servers on their networks against the actively exploited bug by August 10th, 2013.