CVE-2021-28562
📋 TL;DR
CVE-2021-28562 is a use-after-free vulnerability in Adobe Acrobat Reader DC that allows arbitrary code execution when processing malicious PDF files with JavaScript search queries. Attackers can exploit this to run code with the victim's privileges, requiring the user to open a malicious file. Users of Adobe Acrobat Reader DC versions 2021.001.20150 and earlier, 2020.001.30020 and earlier, and 2017.011.30194 and earlier are affected.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's machine and potentially pivoting to other systems.
Likely Case
Local privilege escalation leading to data theft, ransomware deployment, or credential harvesting from the compromised user account.
If Mitigated
Limited impact with proper application sandboxing, but still potential for data exfiltration from the user's context.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious PDF) but is straightforward once the file is opened. JavaScript execution is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.001.20155, 2020.001.30025, 2017.011.30199
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Restart the application.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allPrevents JavaScript execution in PDF files, which blocks exploitation of this vulnerability.
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allOpen untrusted PDFs in Protected View mode to restrict JavaScript execution.
File > Open > Select 'Protected View' option when opening files
🧯 If You Can't Patch
- Disable JavaScript in Adobe Reader settings immediately
- Implement application whitelisting to block execution of older Adobe Reader versions
🔍 How to Verify
Check if Vulnerable:
Check Adobe Reader version via Help > About Adobe Acrobat Reader DC and compare with affected versions.Check Version:
On Windows: wmic product where name="Adobe Acrobat Reader DC" get versionVerify Fix Applied:
Verify version is 2021.001.20155 or higher, 2020.001.30025 or higher, or 2017.011.30199 or higher.📡 Detection & Monitoring
Log Indicators:
- Adobe Reader crash logs with memory access violations
- Windows Event Logs showing AcroRd32.exe crashes
Network Indicators:
- Unusual outbound connections from Adobe Reader process post-PDF opening
SIEM Query:
process_name:AcroRd32.exe AND (event_id:1000 OR event_id:1001) AND exception_code:c0000005