Connect with us

Hi, what are you looking for?



CISA Warns of Attacks Exploiting Adobe Acrobat Vulnerability 

CISA has added five bugs to its Known Exploited Vulnerabilities catalog, including the recent WordPad, Skype, and HTTP/2 zero-days.

Adobe Acrobat vulnerability exploited

The US cybersecurity agency CISA on Tuesday announced that it has added five more security defects to its Known Exploited Vulnerabilities catalog, warning organizations of attacks exploiting an Adobe Acrobat and Reader flaw that came to light earlier this year.

The Adobe Acrobat and Reader issue is CVE-2023-21608, a use-after-free vulnerability which can be exploited to achieve remote code execution (RCE) with the privileges of the current user.

Adobe released patches for this flaw in January 2023, but numerous proof-of-concept (PoC) exploits and technical write-ups have been published since, creating opportunities for threat actors to start targeting the issue in attacks.

Although there appear to be no public reports describing in-the-wild exploitation of CVE-2023-21608, CISA says it only adds CVEs to the KEV list based on solid proof that exploitation has occurred.

CISA also expanded KEV with CVE-2023-20109, an out-of-bounds write flaw in the Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS and IOS XE.

Also leading to RCE, the bug was patched at the end of September, when Cisco warned that it had observed exploitation attempts targeting it.

On the same day that Microsoft released patches for two zero-days impacting Skype for Business (CVE-2023-41763) and WordPad (CVE-2023-36563), CISA added both flaws to KEV. Neither Microsoft nor CISA have provided details on the observed attacks.

The fifth vulnerability that CISA has added to KEV on Tuesday is a zero-day in the HTTP/2 protocol, which has been exploited in some of the largest distributed denial-of-service (DDoS) attacks to date.

Advertisement. Scroll to continue reading.

Referred to as HTTP/2 Rapid Reset, the attack method involves repeatedly sending requests and immediately canceling them. All applications and servers running the standard implementation of HTTP/2 are vulnerable to this attack.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA’s warning reads.

As per the Binding Operational Directive (BOD) 22-01, federal agencies have 21 days to identify the vulnerable products within their networks and apply the available patches and mitigations.

CISA’s BOD 22-01 only applies to federal agencies, but CISA encourages all organizations to review the KEV catalog and prioritize remediation of the security defects in it, or discontinue the use of the vulnerable products if mitigations are not available.

Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative

Related: Organizations Warned of Top 10 Cybersecurity Misconfigurations Seen by CISA, NSA

Related: CISA Reverses Course on Malicious Exploitation of Video Conferencing Device Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.