On October 10, the Cybersecurity and Infrastructure Security Agency (CISA) updated the Known Exploited Vulnerabilities (KEV) catalog with five known software flaws. At the top of the list: A use-after-free vulnerability in Adobe’s Acrobat and Reader PDF-viewing applications that could allow code execution with the privileges of any user that clicked on a malicious file.

The only problem: Adobe disclosed the vulnerability ten months before in January, an exploit developer published proof-of-concept (PoC) code on GitHub within a week, and a working exploit was added to a commercial exploit framework in June — almost 10 months before CISA added the information to the KEV.