CVE-2022-35672
📋 TL;DR
This vulnerability in Adobe Acrobat Reader allows an attacker to execute arbitrary code on a victim's system by tricking them into opening a malicious PDF file. It affects users of Adobe Acrobat Reader across multiple versions on various operating systems. Exploitation requires user interaction, such as opening a crafted file.
💻 Affected Systems
- Adobe Acrobat Reader
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or further network infiltration.
Likely Case
Local code execution in the context of the user, enabling malware installation, credential harvesting, or lateral movement within the environment.
If Mitigated
Limited impact if user awareness is high and file restrictions are in place, possibly resulting in application crash or denial of service without code execution.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious file; no public proof-of-concept has been disclosed as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version 22.001.20085 or later for 22.x, 20.005.30314 or later for 20.x, or 17.012.30205 or later for 17.x, as specified in the vendor advisory.
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb22-16.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to download and install the latest version. 4. Restart the application and system if required.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allReduces attack surface by disabling JavaScript, which may be used in exploitation chains, though not directly required for this CVE.
In Adobe Reader, go to Edit > Preferences > JavaScript, then uncheck 'Enable JavaScript'.
Use Application Whitelisting
windowsRestrict execution of Adobe Reader to trusted locations or block it entirely if not needed, preventing malicious file execution.
Configure via Group Policy or endpoint security tools to whitelist only approved applications.
🧯 If You Can't Patch
- Implement strict email filtering and user training to block suspicious PDF attachments and educate users on not opening untrusted files.
- Use endpoint detection and response (EDR) tools to monitor for unusual process execution or file access related to Adobe Reader.
🔍 How to Verify
Check if Vulnerable:
Check the Adobe Reader version by opening the application and navigating to Help > About Adobe Acrobat Reader DC, then compare with affected versions listed in the advisory.Check Version:
On Windows, run: "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /? or check via Help > About; on macOS/Linux, use the application's about dialog.Verify Fix Applied:
After updating, verify the version is at or above the patched versions: 22.001.20085, 20.005.30314, or 17.012.30205, depending on the branch.📡 Detection & Monitoring
Log Indicators:
- Look for application crashes or errors in system logs related to Adobe Reader processes (e.g., AcroRd32.exe on Windows).
- Monitor for unusual file access or execution events from Adobe Reader in security logs.
Network Indicators:
- Detect downloads of PDF files from untrusted sources or unusual outbound connections post-file opening.
SIEM Query:
Example: source="*security*" AND process="AcroRd32.exe" AND (event_id="1000" OR event_id="1001") for crash detection on Windows.