CVE-2021-43019
📋 TL;DR
This CVE describes a privilege escalation vulnerability in Adobe Creative Cloud installer versions 5.5 and earlier. An attacker with initial low-privileged access can exploit the Setup.exe service to delete files and gain SYSTEM privileges during installation. Users running vulnerable Creative Cloud versions are affected.
💻 Affected Systems
- Adobe Creative Cloud Desktop Application
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, allowing complete control over the system, data theft, and persistence mechanisms.
Likely Case
Local privilege escalation from a standard user to SYSTEM, enabling installation of malware, disabling security controls, or accessing protected resources.
If Mitigated
Limited impact if proper endpoint protection and least privilege principles are enforced, though privilege escalation could still occur.
🎯 Exploit Status
Requires attacker to already have low-privileged code execution and user interaction during installation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6 or later
Vendor Advisory: https://helpx.adobe.com/security/products/creative-cloud/apsb21-111.html
Restart Required: Yes
Instructions:
1. Open Adobe Creative Cloud application. 2. Click on the gear icon (Preferences). 3. Navigate to Apps tab. 4. Click 'Check for Updates'. 5. Install any available updates. 6. Restart the system.
🔧 Temporary Workarounds
Restrict installer execution
windowsLimit who can run the Creative Cloud installer through group policy or application control
Use Windows AppLocker or Software Restriction Policies to block vulnerable installer versions
Least privilege enforcement
windowsEnsure users operate with minimal necessary privileges to reduce impact of initial compromise
Implement principle of least privilege through Active Directory or local policy
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of vulnerable Creative Cloud installers
- Use endpoint detection and response (EDR) tools to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Creative Cloud version: Open Creative Cloud app → Help → About Adobe Creative Cloud. If version is 5.5 or earlier, system is vulnerable.Check Version:
Check registry: reg query "HKLM\SOFTWARE\Adobe\Adobe Creative Cloud" /v VersionVerify Fix Applied:
Verify version is 5.6 or later using same method, and check that no older installer files remain on system.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing privilege escalation attempts
- Setup.exe process spawning with SYSTEM privileges unexpectedly
- File deletion events in sensitive directories
Network Indicators:
- Unusual outbound connections following local privilege escalation
SIEM Query:
EventID=4688 AND ProcessName="Setup.exe" AND NewProcessName contains "SYSTEM"