CVE-2021-35982
📋 TL;DR
This CVE describes a DLL hijacking vulnerability in Adobe Acrobat Reader DC where a local attacker with non-administrative privileges can plant a malicious DLL to achieve arbitrary code execution in the context of the current user. Exploitation requires user interaction such as opening a malicious file or navigating to a compromised directory. Affected versions include Acrobat Reader DC 2021.005.20060 and earlier, 2020.004.30006 and earlier, and 2017.011.30199 and earlier.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with current user privileges, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive files, credential theft, or installation of persistent malware.
If Mitigated
Limited impact due to proper application whitelisting, least privilege enforcement, and timely patching preventing successful exploitation.
🎯 Exploit Status
Requires local access, non-admin privileges, and user interaction. Attacker needs to plant DLL in specific search path locations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.005.20061, 2020.004.30007, 2017.011.30200 or later
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb21-55.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install available updates. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Restrict DLL search path
windowsUse Group Policy or registry settings to restrict DLL search paths to prevent loading from untrusted directories.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
Application whitelisting
windowsImplement application whitelisting to prevent execution of unauthorized DLLs.
🧯 If You Can't Patch
- Implement least privilege principle - ensure users don't have write permissions to application directories
- Use application control solutions to block execution of DLLs from user-writable locations
🔍 How to Verify
Check if Vulnerable:
Check Adobe Acrobat Reader DC version via Help > About Adobe Acrobat Reader DC and compare with affected versions.Check Version:
wmic product where "name like 'Adobe Acrobat Reader DC%'" get versionVerify Fix Applied:
Verify version is 2021.005.20061 or later, 2020.004.30007 or later, or 2017.011.30200 or later.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual paths
- Process Monitor logs showing DLL hijacking attempts
Network Indicators:
- No direct network indicators as this is a local attack
SIEM Query:
EventID=4688 AND (ProcessName="AcroRd32.exe" OR ProcessName="Acrobat.exe") AND CommandLine LIKE "%DLL%"