Login Sign Up

CVE-2021-40708

7.3 HIGH

📋 TL;DR

This vulnerability in Adobe Genuine Service allows authenticated attackers to escalate privileges through the AGSService installer. Attackers can gain read/write access to execute arbitrary code, but require user interaction to exploit. Users running Adobe Genuine Service version 7.3 or earlier are affected.

💻 Affected Systems

Products:
  • Adobe Genuine Service
Versions: 7.3 and earlier
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both Windows and macOS versions. Requires Adobe Genuine Service to be installed and running.

📦 What is this software?

Genuine Service by Adobe

View all CVEs affecting Genuine Service →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, allowing installation of persistent malware, data theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation leading to installation of additional malicious software, credential harvesting, or establishing persistence on the compromised system.

🟢

If Mitigated

Limited impact due to user interaction requirement and proper endpoint protection preventing malicious payload execution.

🌐 Internet-Facing: LOW - Requires authenticated access and user interaction, not directly exploitable over internet.
🏢 Internal Only: MEDIUM - Internal attackers with standard user credentials could exploit if they can trick users into performing required actions.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access and user interaction, making exploitation more difficult than fully remote attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.4 or later

Vendor Advisory: https://helpx.adobe.com/security/products/integrity_service/apsb21-81.html

Restart Required: Yes

Instructions:

1. Open Adobe Genuine Service application. 2. Check for updates in settings. 3. Install available updates. 4. Restart system if prompted. 5. Verify version is 7.4 or later.

🔧 Temporary Workarounds

Disable Adobe Genuine Service

all

Temporarily disable the service to prevent exploitation while planning update

Windows: sc stop AGSService
macOS: sudo launchctl unload /Library/LaunchDaemons/com.adobe.ags.service.plist

🧯 If You Can't Patch

  • Restrict user permissions to prevent standard users from triggering installer actions
  • Implement application whitelisting to block unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Adobe Genuine Service version in application settings or About section

Check Version:

Windows: wmic product where name='Adobe Genuine Service' get version
macOS: /usr/local/bin/AdobeGenuineService --version

Verify Fix Applied:

Confirm version is 7.4 or later and service is running normally

📡 Detection & Monitoring

Log Indicators:

  • Unusual AGSService installer activity
  • Privilege escalation attempts in system logs
  • Unexpected service restarts

Network Indicators:

  • Unusual outbound connections from AGSService process
  • Communication with known malicious domains

SIEM Query:

process_name='AGSService' AND (event_id=4688 OR event_id=4689) AND parent_process_name NOT IN ('services.exe', 'svchost.exe')

📊 Metadata

CVE ID: CVE-2021-40708
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-379
Published: September 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40708, you might also want to check these:

CVE-2023-49797 8.8

This vulnerability allows an unprivileged attacker to trick a PyInstaller-built application running ...

Same vulnerability type (CWE-379)
CVE-2023-6080 7.8

This vulnerability in Lakeside Software's SysTrack LsiAgent Installer allows local attackers to esca...

Same vulnerability type (CWE-379)
CVE-2023-3972 7.8

This vulnerability allows unprivileged local users to escalate privileges to root by exploiting inse...

Same vulnerability type (CWE-379)