[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2020-9715 Adobe Acrobat and Reader Use-After-Free Vulnerability

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Mon Apr 13 13:50:54 PDT 2026 

Good afternoon,
The SOC Services team is reporting on the vulnerability: CVE-2020-9715 affecting Adobe Acrobat and Reader products across Windows and macOS platforms. Because this flaw has been confirmed to be exploited in the wild and is listed in the CISA KEV catalog, we are providing this in-depth information.
History: Adobe published a security bulletin on August 11, 2020, and NIST published this CVE on August 19, 2020, following disclosure by Adobe. The CVSS v3.x base score is 7.8 (High) reported by NIST and CISA-ADP.
Affected Versions

  *   Acrobat DC / Acrobat Reader DC (Continuous) versions 2020.009.20074 and earlier
  *   Acrobat 2020 / Acrobat Reader 2020 (Classic) version 20.001.30002
  *   Acrobat 2017 / Acrobat Reader 2017 versions 2017.011.30171 and earlier
  *   Desktop versions 2015.006.30523 and earlier

Fixed Versions

  *   Acrobat DC / Acrobat Reader DC (Continuous) version 2020.012.20041 or later
  *   Acrobat 2020 (Classic) version 2020.001.30005 or later
  *   Acrobat 2017 (Classic) version 2017.011.30175 or later
Adobe Acrobat and Reader contain a use-after-free vulnerability that occurs during the processing of certain objects within PDF documents. Successful exploitation could lead to arbitrary code execution in the context of the current user
Vendor Advisory: APSB20-48: Security Updates Available for Adobe Acrobat and Reader<https://helpx.adobe.com/security/products/acrobat/apsb20-48.html>
Intelligence: On April 13, 2026, CISA confirmed the vulnerability and has posted it in the Known Exploited Vulnerabilities Catalog.
Exploitability Level: Local Exploitability
Complexity: Low
User Interaction: Required
Remotely Exploitable: No
Proof of Concept: Yes
Zero Day: No
Workarounds: Disable JavaScript execution via Edit > Preferences > JavaScript and uncheck 'Enable Acrobat JavaScript'; Enable Protected View for all files via Edit > Preferences > Security (Enhanced)
How it Works: The vulnerability is a memory corruption flaw (CWE-416) triggered when the application handles ESObject objects. An attacker can craft a malicious PDF that manipulates the heap layout to place controlled data in a freed memory region
Post-Exploit Impact:

  *   Arbitrary Code Execution (CWE:416)
  *   Complete System Compromise (CWE:416)
Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Process Behavior
Acrobat.exe / AcroRd32.exe
Unexpected crashes or spawning of suspicious child processes
Tenable Plugins: As of April 13, 2026, Tenable has the following plugins available for this KEV.
Plugin ID
Plugin Title
Severity
Platform
139578<https://www.tenable.com/plugins/nessus/139578>
Adobe Acrobat < 2015.006.30527 / 2017.011.30175 / 2020.001.30005 / 2020.012.20041 Multiple Vulnerabilities (APSB20-48) (macOS)
High
Nessus
139579<https://www.tenable.com/plugins/nessus/139579>
Adobe Reader < 2015.006.30527 / 2017.011.30175 / 2020.001.30005 / 2020.012.20041 Multiple Vulnerabilities (APSB20-48) (macOS)
High
Nessus
139580<https://www.tenable.com/plugins/nessus/139580>
Adobe Acrobat < 2015.006.30527 / 2017.011.30175 / 2020.001.30005 / 2020.012.20041 Multiple Vulnerabilities (APSB20-48)
High
Nessus
139581<https://www.tenable.com/plugins/nessus/139581>
Adobe Reader < 2015.006.30527 / 2017.011.30175 / 2020.001.30005 / 2020.012.20041 Multiple Vulnerabilities (APSB20-48)
High
Nessus
Recommended Actions:
Date Added to KEV Catalog: April 13, 2026
Due Date for Remediation: April 27, 2026

  *   Prioritize the deployment of Adobe security updates across all workstations
  *   Standardize the 'Protected View' configuration via Group Policy
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DCCB4C.41801BA0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260413/b4e94114/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260413/b4e94114/attachment-0001.png>

More information about the CDP-development mailing list