CVE-2021-35980
📋 TL;DR
This path traversal vulnerability in Adobe Acrobat Reader DC allows attackers to execute arbitrary code by tricking users into opening malicious PDF files. It affects multiple versions across different release tracks. Successful exploitation requires user interaction but grants the attacker the same privileges as the current user.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's computer and potentially moving laterally through the network.
Likely Case
Local privilege escalation leading to data theft, ransomware deployment, or persistent backdoor installation on individual workstations.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially only file system access without code execution.
🎯 Exploit Status
Exploitation requires social engineering to get user to open malicious file. No authentication required once file is opened.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.005.20055, 2020.004.30006, 2017.011.30198 or later
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb21-51.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install available updates. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allPrevents JavaScript-based exploitation vectors that might be used with this vulnerability
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allForce all PDFs to open in Protected View mode to limit potential damage
Edit > Preferences > Security (Enhanced) > Check 'Enable Protected View at startup'
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized PDF readers
- Deploy network filtering to block PDF downloads from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check Adobe Reader version via Help > About Adobe Acrobat Reader DC and compare with affected versionsCheck Version:
Windows: wmic product where name="Adobe Acrobat Reader DC" get version
macOS: /Applications/Adobe\ Acrobat\ Reader\ DC.app/Contents/Info.plist | grep -A1 CFBundleShortVersionStringVerify Fix Applied:
Verify version is 2021.005.20055+, 2020.004.30006+, or 2017.011.30198+📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from AcroRd32.exe
- Suspicious file system access patterns from Adobe Reader
Network Indicators:
- Unexpected outbound connections from Adobe Reader process
SIEM Query:
process_name:"AcroRd32.exe" AND (event_type:"process_creation" OR event_type:"file_access") AND suspicious_patterns