CVE-2021-45068
📋 TL;DR
This CVE describes an out-of-bounds write vulnerability in Adobe Acrobat Reader DC that could allow arbitrary code execution when a user opens a malicious PDF file. The vulnerability affects multiple versions across different release tracks. Successful exploitation requires user interaction to open a malicious document.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Malicious actor gains control of the user's system through a phishing campaign delivering weaponized PDF files, leading to credential theft or malware installation.
If Mitigated
User opens malicious PDF but system has application sandboxing, endpoint protection, and user has limited privileges, containing the impact.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). Similar PDF-based vulnerabilities are commonly weaponized in phishing campaigns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.007.20099 (21.x track), 20.004.30017 (20.x track), 17.011.30204 (17.x track) - update to latest versions beyond these
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb22-01.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install available updates. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allPrevents JavaScript execution which may be used in exploitation chains
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allOpen untrusted PDFs in Protected View mode to limit potential damage
File > Open > Select 'Protected View' option for untrusted files
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized PDF readers
- Deploy endpoint detection and response (EDR) to monitor for suspicious PDF reader behavior
🔍 How to Verify
Check if Vulnerable:
Check Adobe Reader version via Help > About Adobe Acrobat Reader DC and compare against affected versionsCheck Version:
On Windows: wmic product where name="Adobe Acrobat Reader DC" get versionVerify Fix Applied:
Verify version is updated beyond affected versions: 21.x > 21.007.20099, 20.x > 20.004.30017, 17.x > 17.011.30204📡 Detection & Monitoring
Log Indicators:
- Adobe Reader crash logs with memory access violations
- Windows Event Logs showing unexpected process creation from AcroRd32.exe
Network Indicators:
- Outbound connections from Adobe Reader process to suspicious domains
- DNS queries for known exploit kit domains
SIEM Query:
process_name:"AcroRd32.exe" AND (event_id:1 OR parent_process_name:"explorer.exe") AND command_line:"*.pdf"