CVE-2013-0640
published 2013-02-14CVE-2013-0640: Adobe Reader and Acrobat 9.x before 9.5.4, 10.x before 10.1.6, and 11.x before 11.0.02 allow remote attackers to execute arbitrary code or cause a denial of…
PriorityP187high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
86.98%
99.7th percentile
Adobe Reader and Acrobat 9.x before 9.5.4, 10.x before 10.1.6, and 11.x before 11.0.02 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document, as exploited in the wild in February 2013.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | >= 10.0 < 10.1.6 | 10.1.6 |
| adobe | acrobat | >= 11.0 < 11.0.02 | 11.0.02 |
| adobe | acrobat | >= 9.0 < 9.5.4 | 9.5.4 |
| adobe | acrobat_reader | >= 10.0 < 10.1.6 | 10.1.6 |
| adobe | acrobat_reader | >= 11.0 < 11.0.02 | 11.0.02 |
| adobe | acrobat_reader | >= 9.0 < 9.5.4 | 9.5.4 |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_eus | — | — |
| redhat | enterprise_linux_eus | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_workstation | — | — |
| suse | linux_enterprise_desktop | — | — |
| suse | linux_enterprise_desktop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for outbound connections to Russian IP addresses on nonstandard ports immediately after a PDF is opened — indicative of the Zbot dropper's beaconing activity. ↗
- →Detect use of bcdedit by non-administrative or unexpected processes, which may indicate the Zbot rootkit modifying Windows boot settings for persistence. ↗
- →Alert on creation of new system drivers in the Windows directory spawned by dropped PDF exploit payloads, as the malware drops drivers that execute during the boot sequence. ↗
- →Monitor for kernel callback registration (kernel notifiers) from newly dropped drivers, indicative of the rootkit injecting malicious processes into the kernel. ↗
- →Detect C2 beaconing on a ~10-minute interval to external IPs, characteristic of this Zbot variant receiving commands/tasks. ↗
- →Flag PDF attachments that drop and execute PE executables, particularly targeting Adobe Reader versions 9.x through 11.0.1 on Windows XP/7. ↗
- →Detect manipulation of Windows Mail files by dropped malware, which is used to propagate spear-phishing to the victim's contact list. ↗
- ·The exploit was tested only on 32-bit and 64-bit Windows 7 and Windows XP; behavior on other platforms is unconfirmed. ↗
- ·The exploit script is described as a rip of the original and noted to work only most of the time, indicating reliability may vary. ↗
- ·At time of research, only 18 of 51 AV vendors detected the malicious PDF, indicating low initial AV detection coverage. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5mvv-qmf3-7p25: Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-17
CVE-2013-0640 [HIGH] CWE-787 GHSA-5mvv-qmf3-7p25: Adobe Reader and Acrobat 9
Adobe Reader and Acrobat 9.x before 9.5.4, 10.x before 10.1.6, and 11.x before 11.0.02 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document, as exploited in the wild in February 2013.
VulnCheck
Adobe Reader and Acrobat Memory Corruption Vulnerability
vulncheck·2013·CVSS 7.8
CVE-2013-0640 [HIGH] CWE-787 Adobe Reader and Acrobat Memory Corruption Vulnerability
Adobe Reader and Acrobat Memory Corruption Vulnerability
An memory corruption vulnerability exists in the acroform.dll in Adobe Reader that allows an attacker to perform remote code execution.
Affected: Adobe Acrobat and Reader
Required Action: Apply updates per vendor instructions.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2013-0640; https://www.fireeye.com/blog/threat-research/2013/02/the-number-of-the-beast.html; https://www.cve.org/CVERecord?id=CVE-2013-0640; https://cisa.gov/news-events/alerts/2013/02/14/adobe-releases-security-updates-adobe-reader-and-acrobat; https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465/; https://cybersecurity.att.com/blogs/labs-research/new-sykipot-developments; https://www.recordedfuture.com/russian-
CISA
Adobe Reader and Acrobat Memory Corruption Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2013-0640 [HIGH] CWE-787 Adobe Reader and Acrobat Memory Corruption Vulnerability
Vulnerability: Adobe Reader and Acrobat Memory Corruption Vulnerability
Affected: Adobe Reader and Acrobat
An memory corruption vulnerability exists in the acroform.dll in Adobe Reader that allows an attacker to perform remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-0640
Remediation Due Date: 2022-03-24
Red Hat
acroread: Multiple unspecified vulnerabilities allow remote attackers to execute arbitrary code (APSB13-07)
vendor_redhat·2013-02-13·CVSS 7.8
CVE-2013-0640 [HIGH] acroread: Multiple unspecified vulnerabilities allow remote attackers to execute arbitrary code (APSB13-07)
acroread: Multiple unspecified vulnerabilities allow remote attackers to execute arbitrary code (APSB13-07)
Adobe Reader and Acrobat 9.x before 9.5.4, 10.x before 10.1.6, and 11.x before 11.0.02 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document, as exploited in the wild in February 2013.
Statement: This issue affects the version of Adobe Acroread as shipped with Red Hat Enterprise Linux 5 and 6. Updates will be released as soon as they are made generally available by Adobe.
No detection rules found.
Bugzilla
CVE-2013-0640 CVE-2013-0641 acroread: Multiple unspecified vulnerabilities allow remote attackers to execute arbitrary code (APSB13-07)
bugzilla·2013-02-14·CVSS 7.8
CVE-2013-0640 [HIGH] CVE-2013-0640 CVE-2013-0641 acroread: Multiple unspecified vulnerabilities allow remote attackers to execute arbitrary code (APSB13-07)
CVE-2013-0640 CVE-2013-0641 acroread: Multiple unspecified vulnerabilities allow remote attackers to execute arbitrary code (APSB13-07)
* Common Vulnerabilities and Exposures assigned an identifier CVE-2013-0640 to the following vulnerability:
Unspecified vulnerability in Adobe Reader and Acrobat 9.x through 9.5.3, 10.x through 10.1.5, and 11.x through 11.0.1 allows remote attackers to execute arbitrary code via a crafted PDF document, as exploited in the wild in February 2013, a different vulnerability than CVE-2013-0641.
* Common Vulnerabilities and Exposures assigned an identifier CVE-2013-0641 to the following vulnerability:
Unspecified vulnerability in Adobe Reader and Acrobat 9.x through 9.5.3, 10.x through 10.1.5, and 11.x through 11.0.1 allows remote attackers to execute arbit
Zscaler
Spearphishing Connects PCs To Russian Botnet | Zscaler
blogs_zscaler·2014-05-16·CVSS 7.8
[HIGH] Spearphishing Connects PCs To Russian Botnet | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://blog.fireeye.com/research/2013/02/in-turn-its-pdf-time.htmlhttp://blogs.adobe.com/psirt/2013/02/adobe-reader-and-acrobat-vulnerability-report.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00023.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00024.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0551.htmlhttp://security.gentoo.org/glsa/glsa-201308-03.xmlhttp://www.adobe.com/support/security/advisories/apsa13-02.htmlhttp://www.adobe.com/support/security/bulletins/apsb13-07.htmlhttp://www.kb.cert.org/vuls/id/422807https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16406http://blog.fireeye.com/research/2013/02/in-turn-its-pdf-time.htmlhttp://blogs.adobe.com/psirt/2013/02/adobe-reader-and-acrobat-vulnerability-report.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00023.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00024.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0551.htmlhttp://security.gentoo.org/glsa/glsa-201308-03.xmlhttp://www.adobe.com/support/security/advisories/apsa13-02.htmlhttp://www.adobe.com/support/security/bulletins/apsb13-07.htmlhttp://www.kb.cert.org/vuls/id/422807https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16406https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0640
2013-02-14
Published
2022-03-03
Added to CISA KEV
Exploited in the wild