Adobe Reader/Acrobat CVE-2009-3459 Added to CISA KEV Under Active Exploitation
CISA added a single Adobe Reader and Acrobat vulnerability, CVE-2009-3459, to its Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation of the 2009-era buffer overflow flaw.
Key findings
- CISA added CVE-2009-3459 to the KEV catalog on May 20, 2026, confirming active exploitation.
- The flaw is a buffer overflow in Adobe Reader/Acrobat's FlateDecode filter, patched in October 2009.
- Successful exploitation enables remote code execution via a maliciously crafted PDF document.
- No ransomware campaign association has been identified for this vulnerability.
- Federal agencies must remediate per BOD 22-01; all organizations should verify patch status immediately.
The U.S. Cybersecurity and Infrastructure Security Agency added a single Adobe vulnerability to its Known Exploited Vulnerabilities catalog on May 20, 2026, confirming that CVE-2009-3459 is under active exploitation in the wild. The nearly 17-year-old flaw in Adobe Reader and Acrobat demonstrates how legacy vulnerabilities continue to provide attackers with reliable entry points long after patches are available.
CVE-2009-3459 is a critical buffer overflow vulnerability affecting the FlateDecode filter in Adobe Reader and Acrobat versions 9.x prior to 9.2, 8.x prior to 8.1.7, and potentially 7.x through 7.1.4. An attacker who successfully exploits the flaw can achieve remote code execution by convincing a user to open a specially crafted PDF document. Adobe originally patched this vulnerability in October 2009, yet its reappearance on the KEV catalog underscores persistent deployment gaps in enterprise environments.
The addition triggers Binding Operational Directive 22-01 remediation timelines for U.S. federal civilian executive branch agencies, which must apply vendor-supplied mitigations or implement compensating controls within a defined window. While the directive formally binds only federal agencies, CISA strongly urges all organizations — particularly those in critical infrastructure sectors — to treat KEV-listed vulnerabilities as urgent priorities.
Security teams should immediately verify that Adobe Reader and Acrobat installations across their environments have been updated to versions released after October 2009. For any instances still running vulnerable builds, patching should be expedited. Organizations that have long since migrated to modern PDF readers or browser-based rendering should confirm that legacy Adobe installations have been fully removed rather than left dormant on endpoints.
CISA has not associated CVE-2009-3459 with any known ransomware campaign at this time. However, the vulnerability's remote code execution capability makes it a viable vector for initial access brokers and other threat actors seeking footholds in target networks.