CVE-2022-24091
📋 TL;DR
CVE-2022-24091 is an out-of-bounds write vulnerability in Adobe Acrobat Reader DC that allows arbitrary code execution when a user opens a malicious font file. This affects users of Acrobat Reader DC versions 21.007.20099 and earlier, 20.004.30017 and earlier, and 17.011.30204 and earlier. Successful exploitation requires user interaction but gives attackers full control of the affected system in the context of the current user.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the logged-in user, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Malicious PDFs with embedded font files delivered via phishing emails lead to malware installation on individual workstations.
If Mitigated
Limited impact with proper application whitelisting, least privilege accounts, and network segmentation preventing lateral movement.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) but font parsing vulnerabilities are commonly exploited in PDF attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.007.20099 (for 21.x), 20.004.30017 (for 20.x), 17.011.30204 (for 17.x) or later versions
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb22-01.html
Restart Required: No
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install available updates. 4. Alternatively, download latest version from Adobe website.
🔧 Temporary Workarounds
Disable font parsing via registry
windowsModify registry to disable embedded font parsing in PDF files
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral]
"bLoadEmbeddedFonts"=dword:00000000
Use protected view
allConfigure Acrobat Reader to open all PDFs in protected view mode
Edit > Preferences > Security (Enhanced) > Enable Protected View at startup
🧯 If You Can't Patch
- Implement application control to block execution of vulnerable Acrobat Reader versions
- Use network segmentation to isolate systems with vulnerable software
🔍 How to Verify
Check if Vulnerable:
Open Acrobat Reader, go to Help > About Adobe Acrobat Reader DC and compare version against affected ranges.Check Version:
On Windows: "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /? | find "Version"Verify Fix Applied:
Check version is 21.007.20099 or higher (21.x), 20.004.30017 or higher (20.x), or 17.011.30204 or higher (17.x).📡 Detection & Monitoring
Log Indicators:
- Acrobat Reader crash logs with font parsing errors
- Windows Event Logs showing Acrobat Reader process spawning unexpected child processes
Network Indicators:
- PDF downloads from suspicious sources followed by outbound connections
- DNS requests to known malicious domains after PDF opening
SIEM Query:
source="*acrobat*" AND (event_type="crash" OR process_name="acro*" AND child_process!="")