Is CVE-2018-4990 known to be exploited?

Yes. CVE-2018-4990 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-06-08), indicating it is being actively exploited. 13 public proof-of-concept repositories are indexed.

Vulnerability in Adobe Acrobat And Reader 2018.011.20038 Earlier, 2017.011.30079 2015.006.30417 Earlier Versions

CVE-2018-4990

Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Double Free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the…

EPSS: 0.515 (97.9th percentile) — read the EPSS interpretation.

Affected products

N/a Adobe Acrobat And Reader 2018.011.20038 Earlier, 2017.011.30079 2015.006.30417 Earlier Versions — versions Adobe Acrobat and Reader 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier versions

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2022-06-08. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2022-06-22.

Required action: Apply updates per vendor instructions.

Public proof-of-concept exploits

References

helpx.adobe.com/security/products/acrobat/apsb18-09.html (x_refsource_MISC)
1040920 (vdb-entry, x_refsource_SECTRACK)
104167 (vdb-entry, x_refsource_BID)

Frequently asked questions

What is CVE-2018-4990?: CVE-2018-4990 is a vulnerability in Adobe Acrobat And Reader 2018.011.20038 Earlier, 2017.011.30079 2015.006.30417 Earlier Versions. Published 2018-07-09.
Is CVE-2018-4990 known to be exploited?: Yes. CVE-2018-4990 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-06-08), indicating it is being actively exploited. 13 public proof-of-concept repositories are indexed.