Adobe has released security updates to patch a zero-day vulnerability in Acrobat and Reader tagged as exploited in attacks.
Even though additional information on the attacks is yet to be disclosed, the zero-day is known to affect both Windows and macOS systems.
"Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader," the company
said in a security advisory published today.
The critical security flaw is tracked as CVE-2023-26369 and can let attackers gain code execution after successfully exploiting an
out-of-bounds write weakness.
While threat actors can exploit it in low-complexity attacks without requiring privileges, the flaw can only be exploited by local attackers, and it also requires user interaction, according to
its CVSS v3.1 score.
CVE-2023-26369 was classified by Addobe with a maximum priority rating, with the company strongly advising administrators to install the update as soon as possible, ideally within a 72-hour window.
The complete list of affected products and versions is in the table below.
Product | Track | Affected Versions |
Acrobat DC | Continuous | 23.003.20284 and earlier |
Acrobat Reader DC | Continuous | 23.003.20284 and earlier |
Acrobat 2020 | Classic 2020 | 20.005.30516 (Mac) and earlier
20.005.30514 (Win) and earlier |
Acrobat Reader 2020 | Classic 2020 | 20.005.30516 (Mac) and earlier
20.005.30514 (Win) and earlier |