A researcher has warned that Adobe’s recent patch for a remote code execution (RCE) vulnerability in Acrobat does not mention that the vulnerability is considered a zero-day or that a proof-of-concept (PoC) exploit exists. The vulnerability, originally reported in June by researcher Haifei Li, was only assigned a 7.8-out-of-10 CVSS base score, which may not accurately reflect its severity. Despite being labeled as “critical” by Adobe, the CVSS score suggests a lower “high” severity. This, combined with the fact that there is a PoC exploit in the wild, means that system administrators may not prioritize patching the vulnerability as urgently as they should. Adobe has acknowledged that a secondary fix is required to fully address the issue and is working to prioritize its release. Expmon, the zero-day and exploit-detection platform that originally reported the vulnerability, will be sharing a sample PDF containing the PoC exploit in the near future. Once this is released, attackers may be able to use it to launch RCE attacks. It is unclear why Adobe did not mention the existence of a PoC or that researchers deemed it a zero-day vulnerability. More information about the issue will be provided in an upcoming blog post co-authored by Expmon and Check Point Research.
About the Author
