CVE-2020-24433
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Adobe Acrobat Reader DC that allows non-administrator users to delete arbitrary files and potentially execute arbitrary code with SYSTEM privileges. Attackers need to socially engineer victims or already have some access to the environment. Affected versions include multiple release tracks of Adobe Acrobat Reader DC.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM-level code execution leading to complete system compromise, data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Arbitrary file deletion causing data loss, system instability, or privilege escalation to execute malicious payloads with elevated privileges.
If Mitigated
Limited impact with proper user access controls, application sandboxing, and endpoint protection preventing successful exploitation.
🎯 Exploit Status
Requires social engineering or existing access. Exploitation involves manipulating file operations to escalate privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.012.20048 (or later), 2020.001.30005 (or later), 2017.011.30175 (or later) depending on track
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb20-67.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Alternatively, download installer from Adobe website. 5. Restart system after installation.
🔧 Temporary Workarounds
Restrict User Privileges
windowsLimit standard users' ability to run Adobe Acrobat Reader DC with elevated privileges
Use Group Policy to restrict application execution policies
Application Control
windowsImplement application whitelisting to prevent unauthorized execution
Configure Windows Defender Application Control or third-party solutions
🧯 If You Can't Patch
- Implement strict least privilege access controls for all users
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Adobe Acrobat Reader DC version via Help > About Adobe Acrobat Reader DCCheck Version:
On Windows: wmic product where name="Adobe Acrobat Reader DC" get versionVerify Fix Applied:
Verify version is updated beyond affected versions: 2020.012.20049+, 2020.001.30006+, or 2017.011.30176+📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events by AcroRd32.exe
- Privilege escalation attempts from Adobe processes
- Suspicious child processes spawned from Adobe Reader
Network Indicators:
- Outbound connections from Adobe Reader to suspicious domains
SIEM Query:
ProcessName="AcroRd32.exe" AND (EventID=4688 OR EventID=4656) AND TargetObject contains "SYSTEM"