cbcvebase.
CVE-2009-1862
published 2009-07-23

CVE-2009-1862: Unspecified vulnerability in Adobe Reader and Acrobat 9.x through 9.1.2, and Adobe Flash Player 9.x through 9.0.159.0 and 10.x through 10.0.22.87, allows…

PriorityP277high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
25.01%
97.6th percentile
Unspecified vulnerability in Adobe Reader and Acrobat 9.x through 9.1.2, and Adobe Flash Player 9.x through 9.0.159.0 and 10.x through 10.0.22.87, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via (1) a crafted Flash application in a .pdf file or (2) a crafted .swf file, related to authplay.dll, as exploited in the wild in July 2009.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobeacrobat9.0 – 9.1.2
adobeacrobat_reader9.0 – 9.1.2
adobeflash_player10.0 – 10.0.22.87
adobeflash_player9.0 – 9.0.159.0

Detection & IOCsextracted from sources · hover to see the quote

filenameauthplay.dll
  • The vulnerability is triggered through authplay.dll (libauthplay.so on Linux) loaded by Adobe Reader/Acrobat 9.x; monitor for abnormal child process spawning from AcroRd32.exe or acroread involving authplay.dll.
  • Exploit can be delivered via a crafted Flash application embedded in a PDF file; inspect PDF files for embedded SWF streams as an indicator of potential exploitation.
  • ·The vulnerability in authplay.dll/libauthplay.so only affects Adobe Reader/Acrobat 9.x; versions 7 and 8 do not ship with this component and are not directly vulnerable via PDF, though they may be vulnerable if they call out to an installed vulnerable Flash Player.
  • ·Adobe Reader v7 and v8 can still be exploited indirectly if they call out to a separately installed vulnerable Flash Player for SWF playback; disabling Flash Player callout in Reader preferences mitigates this vector.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.