--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical vulnerabilities in Adobe Products' number: '2024-095' version: '1.0' original_date: '2024-09-10' date: '2024-09-12' --- _History:_ * _12/09/2024 --- v1.0 -- Initial publication_ # Summary On September 10, 2024, Adobe released a security bulletin addressing two critical vulnerabilities affecting its Acrobat products. When exploited, these vulnerabilities could allow an attacker to execute arbitrary code [1]. A publicly available proof-of-concept exploit exists for one of the vulnerabilities [2]. # Technical Details The vulnerability **CVE-2024-41869**, with a CVSS score of 7.8, is a use after free flaw that could lead to remote code execution when opening a specially crafted PDF document. A proof-of-concept exploit exists for this vulnerability. The vulnerability **CVE-2024-45112**, with a CVSS score of 8.6, is a type confusion vulnerability that could lead to remote code execution. # Affected Products The following products are affected: - Acrobat DC and Acrobat Reader DC for Windows versions 24.003.20054 and earlier. - Acrobat DC and Acrobat Reader DC for MacOS versions 24.002.21005 and earlier. - Acrobat 2024 for Windows and MacOS versions 24.001.30159 and earlier. - Acrobat 2020 and Acrobat Reader 2020 for Windows and MacOS versions 20.005.30655 and earlier. # Recommendations CERT-EU strongly recommends updating affected products to a fixed version [2]. # References [1] [2]