CVE-2008-2992

HIGH KEV RANSOMWARE

Adobe Acrobat and Reader < 8.1.2 - Remote Code Execution via util.printf Format String

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2008-2992 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022, with confirmed use in ransomware campaigns. EIP tracks 7 public exploits from researchers including Metasploit, Debasis Mohanty, Elazar, including a Metasploit module exploits/windows/browser/adobe_utilprintf.

AI-analyzed exploit summary This Metasploit module exploits a buffer overflow in Adobe Reader and Acrobat Professional < 8.1.3 via a malformed util.printf() entry in a crafted PDF file. It generates a PDF with embedded JavaScript that triggers the vulnerability to execute arbitrary code.

Description

Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104.

Exploits (7)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16624

This Metasploit module exploits a buffer overflow in Adobe Reader and Acrobat Professional < 8.1.3 via a malformed util.printf() entry in a crafted PDF file. It generates a PDF with embedded JavaScript that triggers the vulnerability to execute arbitrary code.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader and Adobe Acrobat Professional < 8.1.3
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16504

This Metasploit module exploits a buffer overflow in Adobe Reader and Acrobat Professional < 8.1.3 via a malformed util.printf() entry in a crafted PDF. It delivers a payload through JavaScript embedded in the PDF, leveraging heap spraying and unescape techniques.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader and Adobe Acrobat Professional < 8.1.3
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Debasis Mohanty · textlocalwindows
https://www.exploit-db.com/exploits/7006

This exploit leverages a buffer overflow vulnerability in Adobe Reader's JavaScript `printf` function to execute arbitrary code via a heap spray technique. The payload is a Metasploit-generated bind shell targeting Windows systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader (versions affected by CVE-2008-2992)
No auth needed
Prerequisites: Victim must open a malicious PDF file with vulnerable Adobe Reader
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Elazar · textlocalwindows
https://www.exploit-db.com/exploits/6994

This exploit targets a stack buffer overflow in Adobe Reader's 'util.printf()' JavaScript function, allowing remote code execution via a maliciously crafted PDF file. The exploit leverages a vulnerability in Adobe Reader versions prior to the 2008-APSB08-19 patch.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader < 8.1.2 / 9.0
No auth needed
Prerequisites: Victim must open a maliciously crafted PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Jonas-Holmberg · poc
https://github.com/Jonas-Holmberg/CVE-2008-2992

This repository contains a functional exploit for CVE-2008-2992, leveraging Metasploit to generate a malicious PDF that exploits Adobe Reader. The automated scripts demonstrate the attack chain, including payload generation, delivery via FTP, and execution on a vulnerable Windows 7 machine.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader (versions affected by CVE-2008-2992)
No auth needed
Prerequisites: Metasploit framework · FTP server access · Vulnerable Adobe Reader installation
devstral-2 · analyzed Apr 15, 2026 Full analysis →
metasploit WORKING POC GOOD
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/adobe_utilprintf.rb

This Metasploit module exploits a buffer overflow in Adobe Reader/Acrobat via a malformed util.printf() entry in a crafted PDF. It generates a malicious PDF with obfuscated JavaScript to trigger arbitrary code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader and Adobe Acrobat Professional < 8.1.3
No auth needed
Prerequisites: Victim opens the malicious PDF file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GOOD
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/adobe_utilprintf.rb

This Metasploit module exploits a buffer overflow in Adobe Reader/Acrobat < 8.1.3 via a malformed util.printf() entry in a crafted PDF. It generates a malicious PDF file containing obfuscated JavaScript that triggers the vulnerability to execute arbitrary code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader and Adobe Acrobat Professional < 8.1.3
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (28)

Core 28
Core References
Broken Link vdb-entry x_refsource_osvdb
http://osvdb.org/49520
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/30035
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32700
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/498027/100/0/threaded
Broken Link, Vendor Advisory x_refsource_misc
http://secunia.com/secunia_research/2008-14/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32091
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35163
Third Party Advisory vendor-advisory x_refsource_sunalert
http://download.oracle.com/sunalerts/1019937.1.html
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32872
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7006
Broken Link, Exploit third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/4549
Third Party Advisory, VDB Entry x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-08-072/
Broken Link, Patch, Vendor Advisory x_refsource_confirm
http://www.adobe.com/support/security/bulletins/apsb08-19.html
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/498055/100/0/threaded
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6994
Broken Link, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/0098
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29773
Broken Link, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA08-309A.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1021140
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/498032/100/0/threaded
Broken Link, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/3001
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
Broken Link, Patch vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2008-0974.html
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/593409

Scores

CVSS v3 7.8
EPSS 0.9374
EPSS Percentile 99.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-03
VulnCheck KEV 2010-01-20
InTheWild.io 2022-03-03
ENISA EUVD EUVD-2008-2982
Ransomware Use Confirmed
CWE
CWE-787
Status published
Products (3)
adobe/acrobat < 8.1.2
adobe/acrobat_reader < 8.1.2
oracle/solaris 10
Published Nov 04, 2008
KEV Added Mar 03, 2022
Tracked Since Feb 18, 2026