CVE-2020-29075 – This vulnerability in Adobe Acrobat Reader DC a... (How to Fix)

📋 TL;DR

This vulnerability in Adobe Acrobat Reader DC allows attackers to trigger DNS queries when users open PDF files from their local filesystem, enabling tracking of document access without user consent. The attacker can determine if a user has opened or closed a specific PDF file. Affected users include anyone running vulnerable versions of Acrobat Reader DC on Windows, macOS, or Linux systems.

💻 Affected Systems

Products:

Adobe Acrobat Reader DC

Versions: 2020.013.20066 and earlier, 2020.001.30010 and earlier, 2017.011.30180 and earlier

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: User interaction required - user must open a malicious PDF from local filesystem. Does not affect PDFs opened from web browsers or other sources.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could track which specific PDF documents a user opens and closes, potentially revealing sensitive information about user activities, document access patterns, or organizational workflows.

🟠

Likely Case

Targeted tracking of document access for specific users, potentially used in spear-phishing campaigns or corporate espionage to monitor document consumption patterns.

🟢

If Mitigated

Limited to tracking only that a PDF was opened/closed, not the content of the document, with no code execution or data exfiltration capabilities.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires user to open a specially crafted PDF file. Exploitation is straightforward once malicious PDF is delivered to target.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020.013.20074, 2020.001.30018, 2017.011.30188

Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb20-75.html

Restart Required: Yes

Instructions:

1. Open Adobe Acrobat Reader DC
2. Go to Help > Check for Updates
3. Follow prompts to install available updates
4. Restart the application when prompted

🔧 Temporary Workarounds

Disable automatic opening of PDFs

all

Configure system to not automatically open PDF files and require explicit user action

Use web browser PDF viewers

all

Configure PDF files to open in web browser viewers instead of Acrobat Reader

🧯 If You Can't Patch

Implement network monitoring for suspicious DNS queries from Acrobat Reader processes
Educate users to only open PDFs from trusted sources and avoid opening unexpected attachments

🔍 How to Verify

Check if Vulnerable:

Check Help > About Adobe Acrobat Reader DC and compare version against affected ranges

Check Version:

On Windows: "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /? | findstr /i version

Verify Fix Applied:

Verify version is 2020.013.20074 or higher, 2020.001.30018 or higher, or 2017.011.30188 or higher

📡 Detection & Monitoring

Log Indicators:

DNS queries from Acrobat Reader process to unexpected domains when opening local PDF files

Network Indicators:

DNS requests from Acrobat Reader to attacker-controlled domains when PDF files are opened

SIEM Query:

process_name:"AcroRd32.exe" AND network_direction:outbound AND protocol:DNS

📊 Metadata

CVE ID: CVE-2020-29075

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE: CWE-20

Published: February 23, 2021

Last Updated: November 21, 2024

🔗 References

https://helpx.adobe.com/security/products/acrobat/apsb20-75.html Vendor Advisory
https://helpx.adobe.com/security/products/acrobat/apsb20-75.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29075, you might also want to check these: