[KEV] CVE-2020-9715 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2020-9715 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2020-9715 is a use-after-free vulnerability in Adobe Acrobat that can be exploited to achieve arbitrary code execution on affected systems.

Technical Detail

The flaw involves improper memory management within Adobe Acrobat, where a reference to freed memory can be accessed and manipulated by an attacker. Exploitation typically requires a user to open a specially crafted PDF document, triggering the use-after-free condition and allowing the attacker to control program execution flow. Successful exploitation results in remote code execution in the context of the current user, which can be chained with privilege escalation techniques for deeper system compromise.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on April 13, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliable exploitation exists and is being used in real-world attacks, not merely as a proof-of-concept demonstration.

Who Is Targeting This

No specific threat actor attribution is confirmed at this time. Given the operational exploit maturity and CISA KEV listing, opportunistic and targeted threat actors should both be considered plausible. No specific sectors have been identified as primary targets in available reporting.

What To Do

Organizations should apply the relevant Adobe Acrobat security update immediately. Per CISA's Known Exploited Vulnerabilities catalog requirements under Binding Operational Directive 22-01, federal agencies are required to patch this vulnerability or apply documented mitigations by the deadline associated with the April 13, 2026 KEV listing. All organizations, not only federal entities, are strongly advised to treat this as a high-priority patch given confirmed active exploitation. Where patching cannot be applied immediately, consider restricting the opening of PDF files from untrusted sources and disabling JavaScript execution within Acrobat as a partial mitigation. Monitor endpoint detection logs for anomalous process spawning from Acrobat processes as a detection signal.