ThreatLevelBeta
Planned Fix

CVE-2020-9715

Adobe Acrobat/Reader UAF RCE via crafted PDF
Loading...

Summary

Adobe Acrobat and Reader contain a use-after-free in PDF ESObject handling. A malicious PDF with embedded JavaScript can trigger stale object reuse, leading to memory corruption, heap spraying, and an eventual arbitrary code execution primitive. The flaw does not require authentication, but the victim must open the crafted document.

Why Planned Fix?

4/6
No authentication required
Internal deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.comgithub.com
Impact

Execute arbitrary code as the current user

RCE (Remote Code Execution)
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker delivers or hosts a crafted PDF that contains malicious JavaScript. When the victim opens it in a vulnerable Acrobat or Reader version, the ESObject cache can retain a stale pointer after the underlying object is freed. The exploit reuses that stale object to corrupt memory, typically by manipulating an ArrayBuffer into a read/write primitive, then pivots to ROP and shellcode execution in the Reader process.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Rapid7 InsightVM
1

Affected Software

Vendor:Adobe
ProductAffected Versions
Adobe Acrobat2020.009.20074 and earlier; 2020.001.30002; 2017.011.30171 and earlier; 2015.006.30523 and earlier
Adobe Acrobat Reader2020.009.20074 and earlier; 2020.001.30002; 2017.011.30171 and earlier; 2015.006.30523 and earlier
Description

Desktop software for viewing, creating, signing, and editing PDF documents.

Deployment:Typically internal
|
Protocol:None
|
Ports:
Affected ComponentPDF JavaScript ESObject/data-object handling in the Acrobat/Reader ESObjects cache.

PDF JavaScript ESObject/data-object handling in the Acrobat/Reader ESObjects cache.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Upgrade Adobe Acrobat/Reader to 2020.012.20041 (Continuous), 2020.001.30005 (Classic 2020), 2017.011.30175 (Classic 2017), or 2015.006.30527 (Classic 2015), or later.

Upgrade Adobe Acrobat/Reader to 2020.012.20041 (Continuous), 2020.001.30005 (Classic 2020), 2017.011.30175 (Classic 2017), or 2015.006.30527 (Classic 2015), or later.

helpx.adobe.com
Threat Intelligence
EPSS Score50.4%

Probability of exploitation in the next 30 days

EPSS Percentile98%

Worse than 98% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
asec.ahnlab.com
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution .

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-416 Use After FreeCWE-416 Use After Free
|
NVD:CVE-2020-9715
|
Version From:15.006.30060, 15.008.20082, 15.006.30060, 15.008.20082
|
Version Upto:15.006.30523, 20.009.20074, 15.006.30523, 20.009.20074

Affected Software (CPE) (6)

  • cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:classic:*:*:*
  • cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*
  • cpe:2.3:a:adobe:acrobat_dc:20.001.30002:*:*:*:classic:*:*:*
  • cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:classic:*:*:*
  • cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:*
  • cpe:2.3:a:adobe:acrobat_reader_dc:20.001.30002:*:*:*:classic:*:*:*

Sources

8
SourceArticle
nvd.nist.govCVE-2020-9715 Detail
helpx.adobe.comAdobe Security Bulletin APSB20-48
thezdi.comExploiting a Use-After-Free in Adobe Reader
asec.ahnlab.comAPT Attacks Using PDF Files, Possibly by North Korea Related Group
rapid7.comAdobe Acrobat: CVE-2020-9715
cisa.govKnown Exploited Vulnerabilities Catalog
github.comlsw29475/CVE-2020-9715
github.comwonjunchun/CVE-2020-9715

Priority History

Planned FixLoading...

Initial analysis