Cyber Resilience

CVE-2020-9715

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 19 August 2020

Published
19 August 2020
Modified
14 April 2026
KEV Added
13 April 2026
Patch
20 April 2021
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.7919 99.1th percentile
Risk Priority 83 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-9715 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Acrobat Dc. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier contain a use-after-free vulnerability tracked as CVE-2020-9715 and assigned CWE-416. The flaw received a CVSS 3.1 score of 7.8 and can result in arbitrary code execution when triggered.

Exploitation requires local access with no privileges but depends on user interaction to open a malicious document, after which an attacker can achieve high impact on confidentiality, integrity, and availability with unchanged scope.

Adobe published fixes for the issue in APSB20-48, while technical details and proof-of-concept analysis have been released by Exodus Intelligence and the Zero Day Initiative.

EU & UK References

Vulnerability details

Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution .

CWE(s)
KEV Date Added
13 April 2026

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
acrobat dc
20.001.30002 · 15.006.30060 — 15.006.30523 · 15.008.20082 — 20.009.20074 · 17.011.30059 — 17.011.30171
adobe
acrobat reader dc
20.001.30002 · 15.006.30060 — 15.006.30523 · 15.008.20082 — 20.009.20074 · 17.011.30059 — 17.011.30171

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches (APSB20-48) that eliminate the use-after-free flaw before a malicious PDF can be exploited.

prevent

Implements memory-protection safeguards that block unauthorized code execution arising from use-after-free conditions in Acrobat/Reader.

preventdetect

Malicious-code detection mechanisms can inspect or sandbox incoming PDF documents that attempt to trigger the vulnerability.

References