Login Sign Up

CVE-2022-28821

7.8 HIGH
Remote Code Execution

📋 TL;DR

Adobe Framemaker has an out-of-bounds write vulnerability that allows arbitrary code execution when a user opens a malicious file. This affects users of Framemaker 2029u8 and earlier, and 2020u4 and earlier. Attackers can gain the same privileges as the current user through crafted documents.

💻 Affected Systems

Products:
  • Adobe Framemaker
Versions: 2029u8 and earlier, 2020u4 and earlier
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. Requires user interaction to open malicious files.

📦 What is this software?

Framemaker by Adobe

View all CVEs affecting Framemaker →

Framemaker by Adobe

View all CVEs affecting Framemaker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to data exfiltration or malware installation on the affected workstation.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only affecting the Framemaker process.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with malicious files, not directly accessible via network.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious documents.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file). No public exploit code available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2029u9 and 2020u5

Vendor Advisory: https://helpx.adobe.com/security/products/framemaker/apsb22-27.html

Restart Required: Yes

Instructions:

1. Open Adobe Framemaker. 2. Go to Help > Check for Updates. 3. Install available updates. 4. Restart Framemaker. Alternatively, download and install the latest version from Adobe's website.

🔧 Temporary Workarounds

Restrict file opening

all

Configure application control policies to restrict opening of untrusted Framemaker files.

User awareness training

all

Train users to avoid opening Framemaker files from untrusted sources.

🧯 If You Can't Patch

  • Run Framemaker with least privilege user accounts
  • Implement application sandboxing or virtualization for Framemaker

🔍 How to Verify

Check if Vulnerable:

Check Framemaker version via Help > About Adobe Framemaker. If version is 2029u8 or earlier, or 2020u4 or earlier, system is vulnerable.

Check Version:

On Windows: Check Help > About in Framemaker GUI. No direct command-line version check available.

Verify Fix Applied:

Verify version is 2029u9 or later, or 2020u5 or later after applying updates.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected Framemaker crashes
  • Suspicious file opens in Framemaker from unusual locations

Network Indicators:

  • Downloads of Framemaker files from untrusted sources

SIEM Query:

EventID=4688 AND ProcessName LIKE '%framemaker%' AND CommandLine CONTAINS '.fm'

📊 Metadata

CVE ID: CVE-2022-28821
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: May 13, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28821, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)