CVE-2009-0927

HIGH KEV

Adobe Acrobat Reader 7.0-7.1.1 - Remote Code Execution via Collab.getIcon Method

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2009-0927 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 6 public exploits from researchers including Metasploit, kralor, Abysssec, including a Metasploit module exploits/windows/browser/adobe_geticon.

AI-analyzed exploit summary This exploit leverages a buffer overflow in Adobe Reader/Acrobat via a malformed Collab.getIcon() call in a crafted PDF. It uses JavaScript heap spraying to achieve arbitrary code execution on vulnerable versions.

Description

Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16681

This exploit leverages a buffer overflow in Adobe Reader/Acrobat via a malformed Collab.getIcon() call in a crafted PDF. It uses JavaScript heap spraying to achieve arbitrary code execution on vulnerable versions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader/Acrobat < 7.1.1, < 8.1.3, < 9.1
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16606

This Metasploit module exploits a buffer overflow in Adobe Reader/Acrobat via a malformed Collab.getIcon() call in a crafted PDF. It uses JavaScript heap spraying to achieve arbitrary code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader/Acrobat < 7.1.1, < 8.1.3, < 9.1
No auth needed
Prerequisites: Target must open the malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by kralor · pythonlocalwindows
https://www.exploit-db.com/exploits/9579

This exploit targets CVE-2009-0927, a vulnerability in Adobe Reader's Collab.getIcon method, allowing arbitrary code execution via a maliciously crafted PDF. The PoC generates a PDF that triggers the vulnerability when opened.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader 9.0.0/8.1.2
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Abysssec · textlocalwindows
https://www.exploit-db.com/exploits/8595

This exploit targets a stack overflow vulnerability in Adobe Acrobat and Reader (versions 8.1.2 to 9.0) via malicious JavaScript in a PDF. The flaw occurs due to improper bounds checking in the getIcon() method of a Collab object, allowing arbitrary code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Acrobat and Reader 8.1.2 - 9.0
No auth needed
Prerequisites: User interaction to open a malicious PDF or visit a malicious website
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/adobe_geticon.rb

This Metasploit module exploits a buffer overflow in Adobe Reader/Acrobat via a malformed Collab.getIcon() call in a crafted PDF. It uses JavaScript heap spraying to achieve arbitrary code execution on vulnerable versions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader/Acrobat < 7.1.1, < 8.1.3, < 9.1
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GOOD
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/adobe_geticon.rb

This Metasploit module exploits a buffer overflow in Adobe Reader/Acrobat via a malformed Collab.getIcon() call in a crafted PDF, achieving arbitrary code execution through JavaScript heap spraying.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader/Acrobat < 7.1.1, < 8.1.3, < 9.1
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17
Core References
Third Party Advisory, VDB Entry x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-09-014
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/9579
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/34169
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34790
Patch, Vendor Advisory x_refsource_confirm
http://www.adobe.com/support/security/bulletins/apsb09-04.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1021861
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/0770
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34490
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00005.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/502116/100/0/threaded
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34706
Broken Link vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-66-256788-1
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200904-17.xml
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1019
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/49312

Scores

CVSS v3 8.8
EPSS 0.9383
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-25
VulnCheck KEV 2010-01-20
InTheWild.io 2022-03-25
ENISA EUVD EUVD-2009-0924
CWE
CWE-121 CWE-20
Status published
Products (1)
adobe/acrobat_reader 7.0 - 7.1.1
Published Mar 19, 2009
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026