September Vuln of the Month: CVE-2021-28640

Sep 15, 2021
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

September’s Vuln of the Month is a vulnerability involving a favorite target of hackers: Adobe Reader software.

So on this Exploit Wednesday, we’re spotlighting CVE-2021-28640, a Use After Free vulnerability affecting all known versions of Acrobat Reader DC. Our research shows that CVE-2021-28640 meets many of the criteria we look for to be widely exploited, including:

  • Access complexity: Low
  • Potential attack surface: Massive
  • Exploitable remotely: Yes
  • Authentication/privilege requirements: None
  • Potential impact on availability: Partial
  • Exploit code published: No
  • Active exploits observed: Yes

kenna risk score distribution for CVE-2021-28640

The Kenna Risk Score for CVE-2021-28640 is 82. Just 1.3% of the more than 156,000 CVEs scored by Kenna have earned a higher risk score. That’s certainly critical in our book. This contrasts with CVSS 3.1, which assigns this CVE a “High” score of 7.3 (only CVSS scores of 9 or above are labeled “Critical”), and CVSS 2,0, which gives it a “Medium” score of 6.0. The reason for this disparity is, as always, that Kenna Risk Scores incorporate far more contextual information and analysis, aided by data science and machine learning, to provide a more complete and accurate prediction of the relative risk a vulnerability poses to an organization. 

Why CVE-2021-28640 matters

In the digital space, it’s hard to find a more ubiquitous file format than PDFs. More than 300 billion PDFs were opened by Adobe products last year. And although Adobe doesn’t break down that figure by application, it’s a safe bet that the free Adobe Reader DC opened most of them, though it’s important to note that even some paid Adobe Acrobat versions are also affected.

That’s what makes Adobe Reader such a popular target, and it’s why CVE-2021-28640 is a CVE of particular interest. This vulnerability earned such a high Kenna Risk Score because its attributes warrant it: All attackers have to do is get an unsuspecting user to open a malicious PDF file (and recent research reveals that’s not very difficult), and they can remotely execute arbitrary code from there. CVE-2021-28640 has already been successfully exploited in the wild. 

And as is always the challenge with end-user applications, successful remediation requires prompt action by users themselves.

Bottom line

CVE-2021-28640 should be at the top of your fix list. The attack surface is massive, hackers can easily gain the ability to execute remote code, bad actors are already exploiting this vuln in the wild, and enterprise Security managers will need to force an update ASAP for all users of affected Adobe Reader and Acrobat products.

Mitigation status

On July 13, Adobe issued an update for Windows and MacOS versions of Adobe Acrobat and Reader. The update patches not just CVE-2021-28640, but a host of other vulnerabilities. 

 Watch this space for regular Vuln of the Month spotlights, which appear on Exploit Wednesday, the day following Microsoft’s monthly Patch Tuesday patch release. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning. 


Read the Latest Content

Trending Vulns

August Vuln of the Month: CVE-2021-30551

CVE-2021-30551, a zero day Type Confusion vulnerability in Chrome meets many of the criteria we look for to be widely exploited.
Trending Vulns

Learn About the CVE-2021-26084 Vulnerability

Learn why CVE 2021 34527, a vuln dubbed PrintNightmare, meets many of the criteria we look for to be widely exploited. Read more now!
Trending Vulns

April Vuln of the Month: CVE-2021-21972

CVE-2021-21972 addresses a remote code execution vuln in a plugin. Learn how Kenna is dealing with this threat and how you can protect yourself too.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.