CVE-2021-28564
📋 TL;DR
This CVE describes an out-of-bounds write vulnerability in Adobe Acrobat Reader DC's ImageTool component. An unauthenticated attacker can achieve arbitrary code execution by tricking a user into opening a malicious PDF file. Users of affected Adobe Acrobat Reader DC versions are vulnerable.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary code execution with current user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Malware installation or credential theft when users open malicious PDF files from phishing emails or compromised websites.
If Mitigated
Limited impact with proper endpoint protection, application sandboxing, and user awareness training preventing malicious file execution.
🎯 Exploit Status
Exploitation requires user interaction but is otherwise straightforward once malicious file is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.001.20155, 2020.001.30025, 2017.011.30199 or later
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Restart computer if required.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allPrevents JavaScript-based exploitation vectors that might be used with this vulnerability
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allForce all PDFs to open in Protected View mode to limit potential damage
Edit > Preferences > Security (Enhanced) > Check 'Enable Protected View at startup'
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized PDF readers
- Deploy endpoint detection and response (EDR) to monitor for suspicious PDF file execution
🔍 How to Verify
Check if Vulnerable:
Check Adobe Acrobat Reader DC version via Help > About Adobe Acrobat Reader DCCheck Version:
Windows: "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /? | find "Version"Verify Fix Applied:
Verify version is 2021.001.20155+, 2020.001.30025+, or 2017.011.30199+📡 Detection & Monitoring
Log Indicators:
- Adobe Reader crash logs with ImageTool component errors
- Windows Event Logs showing PDF file execution followed by suspicious process creation
Network Indicators:
- Outbound connections from Adobe Reader process to unknown IPs
- DNS requests for suspicious domains after PDF opening
SIEM Query:
source="*acrobat*" OR process="AcroRd32.exe" AND (event_type="crash" OR parent_process="AcroRd32.exe")