CVE-2013-2729
published 2013-05-16CVE-2013-2729: Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
66.55%
99.2th percentile
Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727.
Affected
91 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2013-2729 is exploited via a malicious embedded BMP/RLE image inside a PDF. The vulnerable binary is AcroForm.api in Adobe Reader 10.x (confirmed version 10.1.4.38). Deleting AcroForm.api is a documented workaround. ↗
- →Exploit delivery observed via spear-phishing emails with PDF attachments. Subject lines follow the pattern 'inovice <random_number>.pdf' (note deliberate misspelling of 'invoice'). From headers contain unusual strings such as 'EOF', 'endobj', and 'endstream'. ↗
- →Post-exploitation: dropped files immediately beacon to a Russian IP and download additional malicious PE files. C2 communications use nonstandard ports. Monitor for outbound connections on nonstandard ports following PDF opens. ↗
- →Post-exploitation persistence: malware uses bcdedit to modify Windows boot settings, drops a system driver that executes at boot, spawns drivers in the Windows directory, creates a randomly-named autostart registry key, and injects into the kernel. Monitor for bcdedit execution and new driver creation in the Windows directory. ↗
- →CryptoWall 2.0 delivered via this CVE communicates exclusively over Tor. Blocking the Tor application at the network perimeter will disrupt C2 for this payload. ↗
- →Malware manipulates Windows Mail files to use the victim as a node in further spear-phishing campaigns against the victim's contact list. Monitor for unexpected modification of Windows Mail data files. ↗
- ·The exploit affects Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03. The exploit-db PoC was written against version 10.1.4.38 specifically. Default configuration is sufficient for exploitation — no special settings required. ↗
- ·The workaround of deleting AcroForm.api will break AcroForm functionality but prevents exploitation of this vulnerability. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h6q5-w33h-288x: Integer overflow in Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-17·CVSS 9.8
CVE-2013-2727 [CRITICAL] GHSA-h6q5-w33h-288x: Integer overflow in Adobe Reader and Acrobat 9
Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2729.
GHSA
GHSA-q39j-xwr5-2ggj: Integer overflow in Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2013-2729 [CRITICAL] CWE-190 GHSA-q39j-xwr5-2ggj: Integer overflow in Adobe Reader and Acrobat 9
Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727.
VulnCheck
Adobe Reader and Acrobat Arbitrary Integer Overflow Vulnerability
vulncheck·2013·CVSS 9.8
CVE-2013-2729 [CRITICAL] CWE-189 Adobe Reader and Acrobat Arbitrary Integer Overflow Vulnerability
Adobe Reader and Acrobat Arbitrary Integer Overflow Vulnerability
Integer overflow vulnerability in Adobe Reader and Acrobat allows attackers to execute remote code.
Affected: Adobe Acrobat and Reader
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://securelist.com/the-epic-turla-operation/65545/; https://unit42.paloaltonetworks.com/tracking-new-ransomware-cryptowall-2-0/; https://cisa.gov/news-events/alerts/2015/04/29/top-30-targeted-high-risk-vulnerabilities; https://www.us-cert.gov/ncas/alerts/TA15-119A; https://cisa.gov/news-events/alerts/2014/10/27/phishing-campaign-linked-dyre-banking-malware; https://us-cert.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activi
CISA
Adobe Reader and Acrobat Arbitrary Integer Overflow Vulnerability
cisa·2022-03-28·CVSS 9.8
CVE-2013-2729 [CRITICAL] CWE-189 Adobe Reader and Acrobat Arbitrary Integer Overflow Vulnerability
Vulnerability: Adobe Reader and Acrobat Arbitrary Integer Overflow Vulnerability
Affected: Adobe Reader and Acrobat
Integer overflow vulnerability in Adobe Reader and Acrobat allows attackers to execute remote code.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-2729
Remediation Due Date: 2022-04-18
Red Hat
acroread: multiple code execution flaws (APSB13-15)
vendor_redhat·2013-05-14·CVSS 10.0
CVE-2013-2727 [CRITICAL] acroread: multiple code execution flaws (APSB13-15)
acroread: multiple code execution flaws (APSB13-15)
Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2729.
Red Hat
acroread: multiple code execution flaws (APSB13-15)
vendor_redhat·2013-05-14·CVSS 10.0
CVE-2013-2729 [CRITICAL] acroread: multiple code execution flaws (APSB13-15)
acroread: multiple code execution flaws (APSB13-15)
Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727.
No detection rules found.
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
- Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
- Internet Explorer: MS14-021 for CVE-2014-1776, Qualys ID: 100191
- MS14-012 for CVE-201
Unit42
Tracking New Ransomware CryptoWall 2.0
blogs_unit42·2014-10-22
Tracking New Ransomware CryptoWall 2.0
## Tracking New Ransomware CryptoWall 2.0
Ryan Olson
Published: October 22, 2014
Ransomware
Threat Research
Bitcoin
CryptoWall
CryptoWall 2.0
Tor
The latest development in the ransomware world is CryptoWall 2.0, a new version of this malware family that uses the Tor network for command and control.
F-Secure was the first to spot this new version on October 1, but since then the attacks have ramped up and new variants of the malware are emerging daily. Our WildFire analysis platform has picked up 84 CryptoWall 2.0 variants since September 30, delivered primarily through e-mail attachments but also through malicious PDFs and web exploit kits.
CryptoWall 2.0 is similar to other ransomware attacks that have plagued users and businesses for nearly a decade. Once it is running on a s
Unit42
Tracking New Ransomware CryptoWall 2.0
blogs_unit42·2014-10-22
Tracking New Ransomware CryptoWall 2.0
The latest development in the ransomware world is CryptoWall 2.0, a new version of this malware family that uses the Tor network for command and control.
F-Secure was the first to spot this new version on October 1, but since then the attacks have ramped up and new variants of the malware are emerging daily. Our WildFire analysis platform has picked up 84 CryptoWall 2.0 variants since September 30, delivered primarily through e-mail attachments but also through malicious PDFs and web exploit kits.
CryptoWall 2.0 is similar to other ransomware attacks that have plagued users and businesses for nearly a decade. Once it is running on a system, CryptoWall 2.0 seeks out document files and encrypts them using the RSA encryption algorithm. The attacker holds the key necessary to decrypt the fil
Talos
Snowshoe Spam Attack Comes and Goes in a Flurry
blogs_talos·2014-08-20
Snowshoe Spam Attack Comes and Goes in a Flurry
This post is authored by Alex Chiu, Jaeson Schultz and Craig Williams.
Every so often, we observe certain spam campaigns that catch our interest. On August 15, we observed a particular spam campaign that caught our attention because it was using "snowshoe" spam techniques combined with PDF exploitation. While neither of these techniques are new, we have seen a growing trend involving snowshoe spam and we wanted to explain why the bad guys seem to be moving in that direction with a real world example. As you can see from the chart below, we’ve seen the amount of snowshoe spam double since November of 2013.
Snowshoe spam can be a challenge for some anti-spam detection techniques because it typically uses multiple IP addresses with very low spam volume per IP address. Depending on how an an
Zscaler
Spearphishing Connects PCs To Russian Botnet | Zscaler
blogs_zscaler·2014-05-16·CVSS 7.8
[HIGH] Spearphishing Connects PCs To Russian Botnet | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
arXiv
Rethinking Misalignment to Raise the Bar for Heap Pointer Corruption
arxiv_fulltext·2018-08-08
Rethinking Misalignment to Raise the Bar for Heap Pointer Corruption
Rethinking Misalignment to Raise the Bar for Heap Pointer Corruption
Daehee Jang
KAIST
[email protected]
Hojoon Lee
KAIST
[email protected]
Brent Byunghoon Kang
KAIST
[email protected]
Michael Shell
Georgia Institute of Technology
[email protected]
Homer Simpson
Twentieth Century Fox
[email protected]
James Kirk
and Montgomery Scott
Starfleet Academy
[email protected]
\@IEEEpubidpullup9
Permission to freely reproduce all or part
of this paper for noncommercial purposes is granted provided that
copies bear this notice and the full citation on the first
page. Reproduction for commercial purposes is strictly prohibited
without the prior written consent of the Internet Society, the
first-named author (for reproduction of an entire paper only), and
the
arXiv
Digital Investigation of PDF Files: Unveiling Traces of Embedded Malware
arxiv_fulltext·2017-07-17
Digital Investigation of PDF Files: Unveiling Traces of Embedded Malware
Digital Investigation of PDF Files:\ Traces of Embedded Malware
Davide Maiorca, Member, IEEE,
Battista Biggio, Senior Member, IEEE,
Preprint of the work accepted for publication in the IEEE Security & Privacy magazine, Special Issue on Digital Forensics, Nov. - Dec. 2017, http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7854112
The authors are with the Department of Electrical and Electronic Engineering, University of Cagliari, Piazza d'Armi, 09123 Cagliari, Italy.
Davide Maiorca: e-mail [email protected]
Battista Biggio: e-mail [email protected]
## Abstract
Over the last decade, malicious software (or malware, for short) has shown an increasing sophistication and proliferation, fueled by a flourishing underground economy, in response to the increasing complex
arXiv
Technical Aspects of Cyber Kill Chain
arxiv_fulltext·2016-06-10
Technical Aspects of Cyber Kill Chain
Technical Aspects of Cyber Kill Chain
Tarun Yadav
Scientist, Defence Research and\ Organisation, INDIA\ : [email protected]
Rao Arvind Mallari
Scientist, Defence Research and\ Organisation, INDIA\ :[email protected]
## Abstract
Recent trends in targeted cyber-attacks has increased the interest of research in the field of cyber security. Such attacks have massive disruptive effects on organizations, enterprises and governments. Cyber kill chain is a model to describe cyber-attacks so as to develop incident response and analysis capabilities. Cyber kill chain in simple terms is an attack chain, the path that an intruder takes to penetrate information systems over time to execute an attack on the target. This paper broadly categories the methodologies, techniques and tools involv
Bugzilla
acroread: multiple code execution flaws (APSB13-15)
bugzilla·2013-05-14·CVSS 7.5
CVE-2013-2718 [HIGH] acroread: multiple code execution flaws (APSB13-15)
acroread: multiple code execution flaws (APSB13-15)
Adobe security bulletin APSB13-15 describes multiple security flaws that could cause Adobe Acrobat Reader to crash and potentially allow an attacker to take control of the affected system:
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, CVE-2013-3341).
These updates resolve an integer underflow vulnerability that could lead to code execution (CVE-2013-2549).
These updates resolve a stack overflow vulnerability that could lead to code executio
http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00004.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0826.htmlhttp://security.gentoo.org/glsa/glsa-201308-03.xmlhttp://www.adobe.com/support/security/bulletins/apsb13-15.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16717http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00004.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0826.htmlhttp://security.gentoo.org/glsa/glsa-201308-03.xmlhttp://www.adobe.com/support/security/bulletins/apsb13-15.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16717https://github.com/cisagov/vulnrichment/issues/199https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2729
2013-05-16
Published
2022-03-28
Added to CISA KEV
Exploited in the wild