Adobe's patch file for a Remote Code Execution (RCE) bug in Acrobat does not mention that the vulnerability is considered a zero-day or that there is a proof-of-concept (PoC) exploit, a researcher warns.
WARNING Update Acrobat Reader to fix a zero-day exploit in the wild September 2024
As part of Adobe's Patch Tuesday, the creative software vendor fixed CVE-2024-41869 — a vulnerability originally reported in June by researcher Haifei Li, founder of zero-day and exploit detection platform Expmon.
Li's warning comes because the vulnerability was only assigned a CVSS base score of 7.8, which does not carry the same weight as a critical severity rating. Overall, given that there is a PoC exploit out in the wild, system administrators may not be giving the vulnerability the level of priority it deserves.
To Adobe's credit, the vendor says the use-after-free vulnerability has a "critical" severity, even though its CVSS score suggests the severity is "high" — a deviation from critical.
