cbcvebase.
CVE-2009-0927
published 2009-03-19

CVE-2009-0927: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary…

PriorityP189high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
96.60%
99.9th percentile
Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobeacrobat_reader>= 7.0 < 7.1.17.1.1
adobeacrobat_reader>= 8.0 < 8.1.38.1.3
adobeacrobat_reader>= 9.0 < 9.19.1

Detection & IOCsextracted from sources · hover to see the quote

urlhxxp://flightpub.net/l/content/ap1.php?f=97d19::182b5
urlhxxp://flightpub.net/l/content/ap2.php?f=97d19::182b5
hash8a33d1d36d097ca13136832aa10ae5ca
path/content/ap1.php?f=97d19::182b5
path/content/ap2.php?f=97d19::182b5
path/content/fdp1.php?f=63
path/content/fdp2.php?f=63
path/content/adfp2.php?f=193
path/content/adfp1.php?f=193
  • CVE-2009-0927 is actively bundled in exploit kits (iPack, Blackhole) alongside other PDF CVEs. Detections should correlate multi-CVE PDF exploit attempts from the same source as a strong indicator of exploit kit activity.
  • The Metasploit module for this vulnerability (adobe_geticon.rb) targets Adobe Reader/Acrobat versions < 7.1.1, < 8.1.3, and < 9.1. Endpoint detection should flag execution of Adobe Reader processes spawning child processes when these vulnerable versions are present.
  • ·The two Snort signatures provided reference CVE-2011-0611 (not CVE-2009-0927) in their reference fields, but are documented in context of detecting Blackhole kit PDF exploit delivery URLs that include CVE-2009-0927 payloads. Operators should be aware of this cross-reference discrepancy.
  • ·The Blackhole exploit kit URL path patterns vary across kit versions; the listed patterns (/content/ap1.php, /fdp1.php, /adfp1.php, etc.) are not exhaustive and new variants may use different paths.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.