CVE-2021-45062
📋 TL;DR
A use-after-free vulnerability in Adobe Acrobat Reader DC allows arbitrary code execution when processing malicious PDF files. Attackers can exploit this by tricking users into opening specially crafted documents, potentially taking control of the affected system. Users of Adobe Acrobat Reader DC versions 21.007.20099 and earlier, 20.004.30017 and earlier, and 17.011.30204 and earlier are affected.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the current user, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Malicious code execution leading to credential theft, data exfiltration, or installation of additional malware payloads.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially containing the exploit to the PDF reader process.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). No public exploit code available at time of advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.007.20099 (21.x), 20.004.30017 (20.x), 17.011.30204 (17.x) - update to latest versions
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb22-01.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install available updates. 4. Restart the application after installation completes.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allPrevents execution of JavaScript in PDF files which may be used in exploitation chains
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allOpen untrusted PDFs in Protected View mode to restrict file capabilities
File > Properties > Security > Enable Protected View for untrusted documents
🧯 If You Can't Patch
- Restrict user privileges to standard user accounts (not administrator)
- Implement application whitelisting to prevent execution of unauthorized binaries
🔍 How to Verify
Check if Vulnerable:
Check Adobe Reader version via Help > About Adobe Acrobat Reader DC and compare with affected versionsCheck Version:
Windows: wmic product where name="Adobe Acrobat Reader DC" get version
macOS: /Applications/Adobe\ Acrobat\ Reader\ DC.app/Contents/Info.plist | grep -A1 CFBundleShortVersionStringVerify Fix Applied:
Verify version is updated beyond affected versions: 21.007.20099, 20.004.30017, or 17.011.30204📡 Detection & Monitoring
Log Indicators:
- Adobe Reader crash logs with memory access violations
- Unexpected child processes spawned from AcroRd32.exe
Network Indicators:
- Outbound connections from Adobe Reader process to unknown IPs
- DNS requests for suspicious domains after PDF opening
SIEM Query:
process_name:"AcroRd32.exe" AND (event_id:1000 OR event_id:1001) AND exception_code:0xc0000005