CISA has added CVE‑2020‑9715 to its Known Exploited Vulnerabilities catalogue, affecting Adobe Acrobat. The entry tracks the Adobe Acrobat Use‑After‑Free Vulnerability, which allows an attacker to execute arbitrary code on a compromised system.
The flaw is a use‑after‑free condition in Acrobat’s handling of crafted PDF files. Exploitation can lead to remote code execution with the privileges of the current user. The vulnerability carries a CVSS v3.1 base score of 7.8, rated HIGH, and a security patch is available from Adobe.
Active exploitation has been observed, which is the basis for its inclusion in the KEV list; there is no public record of ransomware campaigns leveraging this CVE. Federal civilian executive branch (FCEB) agencies must remediate the issue by 27 April 2026, as specified by CISA.
CISA’s required action is to “Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” While the directive binds FCEB agencies, all organisations should review their Adobe Acrobat deployments and apply the patch or mitigations where feasible.
For full details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2020-9715 and the CISA KEV catalogue.