Arbitrary Code Execution Vulnerability in Adobe Products (CVE-2023-26369)

An arbitrary code execution vulnerability (CVE-2023-26369) was identified in Adobe products, including Acrobat DC, Acrobat Reader DC, Acrobat 2020 and Acrobat Reader 2020.  The vulnerability enables a local authenticated attacker with user interaction to achieve arbitrary code execution.  Users are urged to apply the latest patch immediately.

Vulnerability

• Arbitrary Code Execution Vulnerability (CVE-2023-26369)

Severity Level

• Critical

Affected products

• Acrobat DC 23.003.20284 and earlier
• Acrobat Reader DC 23.003.20284 and earlier
• Acrobat 2020 20.005.30516 (Mac) and earlier
• Acrobat 2020 20.005.30514 (Win) and earlier
• Acrobat Reader 2020 20.005.30516 (Mac) and earlier
• Acrobat Reader 2020 20.005.30514 (Win) and earlier

Remediation

• Update affected Adobe product versions to the latest version ASAP by following below:
  • The latest product versions are available to end users via one of the following methods:
    • Users can update their product installations manually by choosing Help > Check for Updates.
    • The products will update automatically, without requiring user intervention, when updates are detected.
    • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.

    For IT administrators (managed environments):

    • Refer to the specific release note version for links to installers.
    • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.

Reference

• Adobe Security Bulletin
• HKCERT:  Adobe Monthly Security Update (September 2023)

Enquiry

• ITSC Service Desk: http://servicedesk.itsc.cuhk.edu.hk

Published on: 14 Sep 2023