Adobe patches critical zero-day that was exploited for months

April 14, 20262 min read2 sources
Share:
Adobe patches critical zero-day that was exploited for months

Adobe has released an emergency security update for a critical vulnerability in its Acrobat and Reader software that attackers have been actively exploiting for at least four months. The flaw, tracked as CVE-2024-34097, could allow for arbitrary code execution if a user opens a maliciously crafted PDF file.

The vulnerability affects multiple versions of Adobe Acrobat and Reader for both Windows and macOS, including Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020. According to Adobe's security bulletin, the company is aware that this flaw "has been exploited in the wild in limited attacks."

The zero-day was discovered and reported to Adobe by security researchers at Mandiant. A report from Dark Reading states that threat actors had been leveraging the vulnerability for a minimum of four months before the patch was issued on May 14. This extended period of undetected exploitation gave attackers a significant window to compromise targets.

Successful exploitation of CVE-2024-34097 grants an attacker the ability to execute code with the same privileges as the logged-in user. This could lead to a complete system takeover, enabling the installation of malware like ransomware or spyware, data theft, and further movement within a compromised network.

Given the active exploitation of this vulnerability, users and system administrators are strongly advised to apply the patches detailed in Adobe Security Bulletin APSB24-29 immediately. The widespread use of PDF documents makes this flaw a significant threat, as attackers often use them as a primary vector for initial access in targeted phishing campaigns.

Share:

// SOURCES

// RELATED

Meta settles bellwether lawsuit alleging addictive design harmed student mental health

Meta's confidential settlement with a Washington school district marks a pivotal moment in the massive litigation against social media's psychological

6 min readMay 24

Huawei zero-day attack behind last year’s crash of Luxembourg's entire telecoms network

A sophisticated zero-day attack on Huawei routers allegedly caused Luxembourg's 2023 national telecom outage, raising severe global security concerns.

6 min readMay 23

MiniPlasma Windows 0-day enables SYSTEM privilege escalation on fully patched systems

A newly disclosed 0-day flaw, MiniPlasma, allows attackers to gain full SYSTEM control on patched Windows systems, with a public PoC accelerating risk

6 min readMay 18

The ransomware dilemma: why more than half of security chiefs would pay the price

A new survey reveals 56% of CISOs would consider paying a ransom, highlighting the intense pressure to restore operations despite official guidance.

6 min readMay 16