CVE-2020-6115 – A use-after-free vulnerability in Nitro Pro PDF... (How to Fix)

Q: What is the severity of CVE-2020-6115?

CVE-2020-6115 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in Nitro Pro PDF software allows attackers to execute arbitrary code by tricking victims into opening malicious PDF documents. This affects users of Nitro Pro 13.13.2.242 who open untrusted PDF files. Successful exploitation could lead to complete system compromise.

📋 TL;DR

A use-after-free vulnerability in Nitro Pro PDF software allows attackers to execute arbitrary code by tricking victims into opening malicious PDF documents. This affects users of Nitro Pro 13.13.2.242 who open untrusted PDF files. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Nitro Pro

Versions: 13.13.2.242

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific version mentioned; other versions may be unaffected.

📦 What is this software?

Nitro Pro by Gonitro

View all CVEs affecting Nitro Pro →

Nitro Pro by Gonitro

View all CVEs affecting Nitro Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the user running Nitro Pro, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Arbitrary code execution leading to malware installation, credential theft, or lateral movement within the network.

🟢

If Mitigated

Limited impact if application runs with minimal privileges, sandboxing is enabled, and users avoid opening untrusted PDFs.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (opening a malicious PDF) but no authentication. Technical details and proof-of-concept are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.13.3.242 or later

Vendor Advisory: https://www.gonitro.com/nps/security/updates

Restart Required: Yes

Instructions:

1. Open Nitro Pro. 2. Go to Help > Check for Updates. 3. Follow prompts to install the latest version (13.13.3.242 or newer). 4. Restart the application.

🔧 Temporary Workarounds

Disable Nitro Pro as default PDF handler

windows

Prevent automatic opening of PDFs with Nitro Pro to reduce attack surface.

Control Panel > Default Programs > Set Default Programs > Select another PDF viewer

Use application sandboxing

windows

Run Nitro Pro in a sandboxed environment to limit potential damage from exploitation.

🧯 If You Can't Patch

Restrict user permissions to run Nitro Pro with minimal privileges (non-admin accounts).
Implement email/web filtering to block PDF attachments from untrusted sources.

🔍 How to Verify

Check if Vulnerable:

Check Nitro Pro version: Open Nitro Pro > Help > About. If version is exactly 13.13.2.242, the system is vulnerable.

Check Version:

Not applicable for command line; use GUI method above.

Verify Fix Applied:

Verify version is 13.13.3.242 or higher via Help > About in Nitro Pro.

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes of Nitro Pro
Process creation from Nitro Pro with suspicious command lines

Network Indicators:

Outbound connections from Nitro Pro to unexpected destinations

SIEM Query:

EventID=4688 AND ProcessName='NitroPDF.exe' AND CommandLine CONTAINS 'powershell' OR 'cmd'

📊 Metadata

CVE ID: CVE-2020-6115

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: September 17, 2020

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1068 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1068 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6115, you might also want to check these: