Adobe is warning customers about a vulnerability in its Acrobat and Reader products that has been used in some targeted attacks.
The company released an update on Tuesday to address the bug, which can be used to gain remote code execution on target machines. The vulnerability (CVE-2023-26369) affects Acrobat and Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020, on both Windows and macOS.
“This update addresses a critical vulnerability. Successful exploitation could lead to arbitrary code execution . Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader,” the advisory says.
Adobe did not specify how many customers had been targeted or which industries they are in. The flaw itself is an out-of-bounds write.
In addition to the actively exploited flaw, Adobe also released patches for bugs in Adobe Connect and Experience Manager. Both of those flaws can result in arbitrary code execution in vulnerable products.
Enterprises should install the Adobe updates as quickly as possible, especially the update for Reader and Acrobat, given that active attacks are ongoing.