Two critical vulnerabilities could lead to arbitrary code execution

Threat ID:CC-4549

Threat Severity:Medium

Published:12 September 2024 1:52 PM

Summary

Affected platforms

The following platforms are known to be affected:

Adobe Acrobat

Acrobat 2024 | Prior to 24.001.30187

Acrobat 2020 | Prior to 20.005.30680

Acrobat DC | Prior to 24.003.20112

Acrobat Reader DC | Prior to 24.003.20112

Acrobat Reader 2020 | Prior to 20.005.30680

Threat details

Proof-of-concept sample for CVE-2024-41869 discovered in the wild

Security researchers discovered CVE-2024-41869 in a sample PDF discovered in the wild. The sample reportedly appeared to be a partial proof-of-concept (PoC) exploit and researchers have stated the plan to publish technical details in the future. NHS England National CSOC assess exploitation of CVE-2024-41869 in the future is likely.

Introduction

Adobe has released security updates addressing two critical vulnerabilities affecting Acrobat products on Windows and MacOS.

CVE-2024-41869 is a 'use after free' vulnerability with a CVSSv3 score of 7.8 and if exploited could allow arbitrary code execution (ACE).

CVE-2024-45112 is a 'type confusion' vulnerability with a CVSSv3 score of 8.6 and if exploited could allow ACE.

Remediation advice

Affected organisations are encouraged to review Adobe Security Bulletin APSB24-70 and apply the relevant updates.

Definitive source of threat updates

https://helpx.adobe.com/security/products/acrobat/apsb24-70.html

CVE Vulnerabilities

StatusReserved

CVE-2024-41869

StatusReserved

CVE-2024-45112

Last edited: 12 September 2024 1:52 pm