Cybersecurity specialists report the detection of two severe vulnerabilities in Nitro Pro, one of the most popular programs for reading and editing PDF files. According to the report, the successful exploitation of these faults would allow the deployment of severe risk scenarios.

Below is a brief report of the detected flaws, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-21796: A use-after-free error in the JavaScript implementation within the “local_file_path” object would allow remote threat actors to trick the target user using a specially crafted document to execute arbitrary code on the affected system.

The vulnerability received a CVSS score of 7.7/10 and its successful exploitation would allow full compromise of the target system, so it is considered a high severity error.  

CVE-2021-21797: On the other hand, a boundary bug in the JavaScript implementation would allow remote hackers to send the victim a document specially designed to execute arbitrary code on the vulnerable system, cybersecurity experts mentioned.

This flaw received a CVSS score of 7.7/10 and its successful exploitation would allow threat actors to gain full access to the target system.

According to the report, both bugs reside in the following versions of Nitro Pro: v13.31.0.605 and v13.33.2.645.

While vulnerabilities can be exploited by unauthenticated threat actors through the use of PDF documents, cybersecurity experts have not detected active exploitation attempts or the existence of a malware variant associated with the attack. Security patches are now available, so users of affected deployments are encouraged to upgrade as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.