CVE-2022-24104
📋 TL;DR
CVE-2022-24104 is a use-after-free vulnerability in Adobe Acrobat Reader DC that could allow arbitrary code execution when a user opens a malicious PDF file. This affects users of Acrobat Reader DC versions 20.001.20085 and earlier, 20.005.3031x and earlier, and 17.012.30205 and earlier. Successful exploitation requires user interaction to open a malicious file.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Malicious code execution in the context of the current user, allowing file access, credential theft, and persistence mechanisms.
If Mitigated
Limited impact if user doesn't open untrusted PDFs, with potential sandbox escape prevented by security controls.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). No public exploit code available at disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.005.30334, 21.011.20099, and later versions
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb22-16.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Restart application after update.
🔧 Temporary Workarounds
Disable JavaScript in PDFs
allPrevents JavaScript execution in PDF files which may be used in exploitation chains
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allForce all PDFs to open in Protected View mode to limit potential damage
Edit > Preferences > Security (Enhanced) > Check 'Enable Protected View at startup'
🧯 If You Can't Patch
- Block PDF files from untrusted sources at email gateways and web proxies
- Implement application whitelisting to prevent unauthorized executables from running
🔍 How to Verify
Check if Vulnerable:
Check Help > About Adobe Acrobat Reader DC and compare version against affected rangesCheck Version:
On Windows: wmic product where name="Adobe Acrobat Reader DC" get versionVerify Fix Applied:
Verify version is 20.005.30334 or higher, or 21.011.20099 or higher📡 Detection & Monitoring
Log Indicators:
- Acrobat crash logs with memory access violations
- Unexpected child processes spawned from Acrobat.exe
Network Indicators:
- Outbound connections from Acrobat.exe to suspicious domains
- DNS requests for known malicious domains after PDF opening
SIEM Query:
process_name:"Acrobat.exe" AND (event_id:1000 OR event_id:1001) AND exception_code:0xc0000005