CVE-2021-28545
📋 TL;DR
This vulnerability allows attackers to tamper with certified PDF documents without invalidating their certification. Attackers can manipulate data in certified PDFs, potentially altering signed content while maintaining the appearance of validity. Users of affected Adobe Acrobat Reader DC versions who open manipulated files are at risk.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify certified legal documents, financial records, or signed contracts while maintaining certification status, leading to fraud, legal disputes, or unauthorized changes to important documents.
Likely Case
Attackers create malicious PDFs that appear certified but contain manipulated content, tricking users into trusting tampered documents for phishing or misinformation campaigns.
If Mitigated
With proper patching and user awareness, the risk is limited to users who still open untrusted PDF files from unknown sources.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). No public exploit code identified in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.013.20075, 2020.001.30019, 2017.011.30189 or later
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb21-09.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install available updates. 4. Restart the application.
🔧 Temporary Workarounds
Disable JavaScript in PDFs
allPrevents potential JavaScript-based exploitation vectors
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Enhanced Protected Mode
windowsEnable sandboxing features to limit impact
Edit > Preferences > Security (Enhanced) > Enable Protected Mode at startup
🧯 If You Can't Patch
- Implement application whitelisting to block execution of older Acrobat Reader versions
- Use PDF viewing alternatives for untrusted documents and restrict Acrobat Reader to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check Help > About Adobe Acrobat Reader DC and compare version against affected rangesCheck Version:
On Windows: wmic product where name="Adobe Acrobat Reader DC" get versionVerify Fix Applied:
Verify version is 2020.013.20075+, 2020.001.30019+, or 2017.011.30189+📡 Detection & Monitoring
Log Indicators:
- Acrobat crash logs with manipulated PDF files
- Security event logs showing PDF file execution from untrusted sources
Network Indicators:
- Downloads of PDF files from suspicious sources followed by Acrobat execution
SIEM Query:
process_name:"AcroRd32.exe" OR process_name:"Acrobat.exe" AND file_extension:".pdf" AND parent_process NOT IN (trusted_browsers)