Aktuelles
Comment: CISA adds high-severity flaw in Adobe Acrobat Reader to KEV catalogue
October 2023 by Sylvain Cortes, VP Strategy at Hackuity
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on
Tuesday added a high-severity flaw in Adobe Acrobat Reader to its
Known Exploited Vulnerabilities (KEV) catalogue, showing evidence of
active exploitation.
Tracked as CVE-2023-21608 [3] (CVSS score: 7.8), the vulnerability has
been described as a use-after-free bug that can be exploited to achieve
remote code execution (RCE) with the privileges of the current user.
Sylvain Cortes, VP Strategy, Hackuity points out "The real question
is: Why does CVSS frequently show the same low-severity score for so
long? Simple: the CVSS score relates to the vulnerability itself and
does not account for how often the vulnerability is being exploited.
Severity is intrinsic to a vulnerability, and most organisations use the
CVSS score to gauge severity. But that severity does not take into
account each organisation’s specific context.
CISA is correct to designate CVE-2023-21608 as a high-severity flaw.
This shouldn’t be news, however, to those impacted organisations who are
already looking beyond raw CVSS to factor in the Exploitability, Exploit
Maturity, and Threat Intensity of a given vulnerability. This
continuous, automated process is critical to understanding — and
remediating — the true risk to their specific attack surface."
