CVE-2020-3745
📋 TL;DR
This CVE describes a use-after-free vulnerability in Adobe Acrobat and Reader that could allow attackers to execute arbitrary code on affected systems. Users who open malicious PDF files with vulnerable versions are at risk. The vulnerability affects multiple versions across different release tracks.
💻 Affected Systems
- Adobe Acrobat DC
- Adobe Acrobat Reader DC
- Adobe Acrobat 2017
- Adobe Acrobat Reader 2017
- Adobe Acrobat 2015
- Adobe Acrobat Reader 2015
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary code execution with the privileges of the current user, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Attackers trick users into opening malicious PDF files, leading to malware installation, credential theft, or system compromise.
If Mitigated
With proper patching and security controls, the risk is limited to users who intentionally bypass security measures to open untrusted PDFs.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious PDF file. The CVSS score of 9.8 indicates high severity and relatively low attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acrobat DC/Reader DC: 2020.001.20035 or later; Acrobat/Reader 2017: 2017.011.30166 or later; Acrobat/Reader 2015: 2015.006.30514 or later
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb20-05.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat or Reader. 2. Navigate to Help > Check for Updates. 3. Follow the prompts to download and install available updates. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allPrevents JavaScript execution in PDF files, which may mitigate some exploitation vectors
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allOpen untrusted PDFs in Protected View mode to limit potential damage
File > Properties > Security > Enable Protected View for files from potentially unsafe locations
🧯 If You Can't Patch
- Restrict PDF file handling to trusted sources only
- Implement application whitelisting to prevent unauthorized executables from running
🔍 How to Verify
Check if Vulnerable:
Check Help > About Adobe Acrobat/Reader and compare version numbers to affected rangesCheck Version:
On Windows: wmic product where name like "Adobe Acrobat%" get versionVerify Fix Applied:
Verify version is equal to or higher than the patched versions listed in the fix section📡 Detection & Monitoring
Log Indicators:
- Application crashes in Adobe Acrobat/Reader logs
- Unexpected process creation from Acrobat/Reader processes
Network Indicators:
- Outbound connections from Acrobat/Reader to unexpected destinations
- PDF downloads from untrusted sources
SIEM Query:
source="*acrobat*" AND (event_type="crash" OR process_name="cmd.exe" OR process_name="powershell.exe")