What happened

CISA added CVE-2020-9715 (Adobe Acrobat Use-After-Free) to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-13, indicating confirmed exploitation in the wild and triggering federal patch mandates with a 2026-04-27 due date for remediation CISA KEV. The vulnerability is tracked as a use-after-free flaw (CWE-416) in Adobe Acrobat that can enable code execution NVD: CVE-2020-9715. The public CVE record corroborates the issue scope and timeline for CVE-2020-9715 MITRE CVE.

Per CISA’s required action, federal agencies must apply vendor mitigations or discontinue use if mitigations are unavailable, following Binding Operational Directive processes that govern KEV entries CISA KEV. Acrobat is explicitly named as the impacted product in the CVE entry and KEV context NVD: CVE-2020-9715.

Why it matters

A KEV designation means adversaries are actively exploiting this bug in real environments, elevating it to a “patch-or-remove” priority for defenders under federal guidance CISA KEV. Use-after-free flaws (CWE-416) are high-impact because dangling pointers can be steered to attacker-controlled memory, enabling arbitrary code execution within the victim process NVD: CVE-2020-9715. When the target is a document processor like Acrobat, exploitation typically translates into execution in the user’s context after the application parses hostile content, a risk explicitly reflected in the CVE’s RCE characterization NVD: CVE-2020-9715.

CVE-2020-9715’s appearance in KEV years after initial disclosure underscores a recurring pattern: legacy client-side bugs remain monetizable for threat actors long after patches exist, especially where patch coverage is uneven. KEV codifies that this issue is not hypothetical—it is being used—and prioritizes response across government and critical sectors CISA KEV. The CVE record provides authoritative metadata to align asset, vulnerability, and risk tracking around a single identifier MITRE CVE.

Technical detail

• Identifier: CVE-2020-9715 MITRE CVE
• Affected product: Adobe Acrobat NVD: CVE-2020-9715
• Weakness class: Use-After-Free (CWE-416), which arises when memory is freed but subsequent code continues to reference it, allowing attackers to manipulate program control flow and memory content NVD: CVE-2020-9715
• Impact: Code execution within the Acrobat process, as reflected in the vulnerability description for this CVE NVD: CVE-2020-9715

Use-after-free exploitation typically involves grooming heap state so that a freed object’s slot is reoccupied with data the attacker controls; subsequent operations on the dangling pointer then dereference attacker-chosen values, enabling instruction pointer redirection or ROP-based execution. That exploitation model maps directly to the CWE-416 class attributed to this CVE NVD: CVE-2020-9715. The KEV listing confirms that threat actors have operationalized a working exploit chain in the wild for Acrobat, elevating urgency beyond theoretical exposure CISA KEV.

Administrative context matters: Once a CVE lands in KEV, federal civilian agencies are required to remediate by the catalog’s due date or remove the technology from use, per the standing enforcement model that accompanies KEV entries CISA KEV. The CVE registry entry provides the canonical reference to ensure configuration management databases and scanners are aligned to the same identifier and description MITRE CVE.

Defense

Prioritize the following, anchored to KEV policy and the authoritative CVE metadata:

• Remediate per vendor instructions immediately; where mitigations or patches are not yet deployed, remove or disable Acrobat in affected workflows to meet KEV obligations CISA KEV.
• Track and enforce the KEV remediation deadline (2026-04-27) across all impacted systems; exceptions should trigger removal until patched CISA KEV.
• Ensure vulnerability management tools are keyed to CVE-2020-9715 so inventory and compliance reporting align on the correct flaw definition MITRE CVE.
• Treat Acrobat as high-risk software until remediation is confirmed; the RCE characterization for this CVE warrants expedited change windows and validation NVD: CVE-2020-9715.

Operationally, confirm closure with control-plane evidence (deployment artifacts, EDR telemetry showing updated binaries, and before/after vulnerability scans keyed to CVE-2020-9715). Maintain a rollback plan that defaults to discontinuation of use if mitigations cannot be validated by the KEV due date CISA KEV.

Lyrie Verdict

CVE-2020-9715 sits in the KEV catalog, meaning live exploitation is happening against Adobe Acrobat today CISA KEV. Lyrie ingests KEV updates in near-real-time and automatically elevates affected software to strict policy: we flag Acrobat processes associated with CVE-2020-9715 exposure for immediate containment until patch attestation is observed, and we enforce machine-speed guardrails consistent with KEV’s patch-or-remove mandate CISA KEV. Our autonomous detectors align to the CVE identifier and CWE class to prioritize responses to use-after-free exploit behavior within Acrobat’s execution context NVD: CVE-2020-9715. Bottom line: KEV-listed client-side RCEs are ideal automation targets for rogue AI-driven campaigns; Lyrie closes that window by turning KEV signals into immediate, enforced action—no human-in-the-loop delay MITRE CVE.