Adobe has released an emergency security update for a critical vulnerability in its Acrobat and Reader software that attackers have been actively exploiting for at least four months. The flaw, tracked as CVE-2024-34097, could allow for arbitrary code execution if a user opens a maliciously crafted PDF file.
The vulnerability affects multiple versions of Adobe Acrobat and Reader for both Windows and macOS, including Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020. According to Adobe's security bulletin, the company is aware that this flaw "has been exploited in the wild in limited attacks."
The zero-day was discovered and reported to Adobe by security researchers at Mandiant. A report from Dark Reading states that threat actors had been leveraging the vulnerability for a minimum of four months before the patch was issued on May 14. This extended period of undetected exploitation gave attackers a significant window to compromise targets.
Successful exploitation of CVE-2024-34097 grants an attacker the ability to execute code with the same privileges as the logged-in user. This could lead to a complete system takeover, enabling the installation of malware like ransomware or spyware, data theft, and further movement within a compromised network.
Given the active exploitation of this vulnerability, users and system administrators are strongly advised to apply the patches detailed in Adobe Security Bulletin APSB24-29 immediately. The widespread use of PDF documents makes this flaw a significant threat, as attackers often use them as a primary vector for initial access in targeted phishing campaigns.
