CVE-2021-28570
📋 TL;DR
CVE-2021-28570 is an uncontrolled search path vulnerability in Adobe After Effects that allows attackers to plant malicious binaries in specific locations. When users open affected project files, the application may execute these binaries with system-level permissions. This affects all users running Adobe After Effects version 18.1 or earlier.
💻 Affected Systems
- Adobe After Effects
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM/root privileges, allowing complete control over the affected system, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation leading to malware installation, data exfiltration, or persistence mechanisms being established on the compromised system.
If Mitigated
Limited impact with proper application whitelisting and user training preventing execution of untrusted project files.
🎯 Exploit Status
Requires social engineering to get user to open malicious project file. No public exploit code available at disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: After Effects 18.2 and later
Vendor Advisory: https://helpx.adobe.com/ee/security/products/after_effects/apsb21-33.html
Restart Required: Yes
Instructions:
1. Open Adobe Creative Cloud application. 2. Navigate to 'Apps' tab. 3. Find Adobe After Effects. 4. Click 'Update' button. 5. Restart computer after installation completes.
🔧 Temporary Workarounds
Restrict project file execution
allConfigure application control policies to only allow execution of After Effects from trusted locations
User training and awareness
allTrain users to only open project files from trusted sources and verify file integrity
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized binaries
- Use least privilege accounts for After Effects users to limit SYSTEM privilege impact
🔍 How to Verify
Check if Vulnerable:
Check After Effects version in Help > About After Effects menuCheck Version:
On Windows: Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\After Effects\[version]\InstallPathVerify Fix Applied:
Verify version is 18.2 or higher in Help > About After Effects menu📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution with SYSTEM privileges from After Effects directory
- After Effects loading DLLs from unusual locations
Network Indicators:
- Unusual outbound connections from After Effects process
SIEM Query:
Process creation where parent_process_name contains 'AfterFX' and process_integrity_level = 'System'