Register for Zero Trust World 25!
Back to Blogs Back to Press Releases
ThreatLocker One-Click PDF Exploits blog header
September 22, 2023

CVE-2023-26369: One-Click PDF Exploits

Table of Contents

About PDF attacks

A PDF is one of the most common file types. Most people in an office see PDF files on a daily basis, which makes it a great payload for Phishing Attacks. There are many ways that hackers use PDF files to gain access to a company. One of the most recent attacks is CVE-2023-26369, Which targeted Adobe products through an out-of-bound memory attack.

Understanding PDF attacks

One of the common ways that PDFs are used is phishing attacks. In this attack, a threat actor would send fake/malicious emails to a person. An example would be a free vacation email with an attached PDF file. Once opened, the file can have different ways to gain access to the system/computer.

Firstly, the most common and easy to make an exploit with a PDF is to disguise malicious links like that of a legitimate website. For example, a web link can appear to go to, but it brings you to an attacker ran website.

The second way would be with embedded malicious JavaScript that would execute when opened (example, a PDF File that would launch malware through an executable).

Thirdly, a more advanced approach is through a buffer overflow attack. This occurs when a program goes over the bounds of its permitted memory. This can be compared to a car going over the yellow line on a road.

Video Demonstration of CVE-2023-26369

In this Video, ThreatLocker Cyber Engineer Rayton will demonstrate a PDF exploit.  Shoutout to Ashfaq Ansari and Krishnakant Patil from HackSys Inc for the proof of concept.

Demonstration Timestamps:

00:00:03 - click on malicious file.

00:00:09 - File opens.

00:00:23 - Debug console opens. (For this demonstration)

00:00:24 - memory overflow is happening.

00:00:36 - attack finish.

00:00:37- Go over what happened.

How Can ThreatLocker Stop PDF Attacks?  

Ringfencing™ PDF Readers:

  • ThreatLocker employs its innovative Ringfencing™ technology to safeguard PDF readers, such as Adobe Acrobat. This approach prevents the application from attempting to access unfamiliar websites or IP addresses, effectively shielding against potential vulnerabilities.

Blocking Untrusted Processes through Allowlisting:

  • Even without the use of Ringfencing™, ThreatLocker implements stringent measures to block processes initiated by various potentially harmful entities. These include but are not limited to PowerShell, CMD, .exe files, JavaScript, and other suspicious sources.

Combining these measures can significantly reduce the risk of PDF-based attacks, fortifying your organization's security posture and ensuring a safer digital environment.

Rayton Li
Craig Stevenson