CVE-2023-26358
📋 TL;DR
This CVE describes an Untrusted Search Path vulnerability in Adobe Creative Cloud versions 5.9.1 and earlier. Attackers can manipulate the application's search path to execute malicious programs, access unauthorized data, or modify configurations. All users running affected Creative Cloud versions are vulnerable.
💻 Affected Systems
- Adobe Creative Cloud Desktop Application
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution with the privileges of the Creative Cloud application user, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation or execution of malicious payloads that steal credentials, exfiltrate creative assets, or install additional malware.
If Mitigated
Limited impact due to proper access controls, application sandboxing, and user privilege restrictions preventing system-wide compromise.
🎯 Exploit Status
Exploitation requires local access to the target system. The vulnerability is in the CWE-426 category (Untrusted Search Path), which typically involves DLL hijacking or similar path manipulation attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Creative Cloud Desktop Application 5.10 or later
Vendor Advisory: https://helpx.adobe.com/security/products/creative-cloud/apsb23-21.html
Restart Required: Yes
Instructions:
1. Open Creative Cloud desktop application. 2. Click the three-dot menu in top-right. 3. Select 'Check for app updates'. 4. If update to 5.10+ is available, click 'Update'. 5. Restart Creative Cloud application after update completes.
🔧 Temporary Workarounds
Restrict Write Permissions to Creative Cloud Directories
allPrevent unauthorized users from writing to Creative Cloud installation directories and PATH locations.
Windows: icacls "C:\Program Files\Adobe\Adobe Creative Cloud" /deny Users:(OI)(CI)W
macOS: chmod -R go-w "/Applications/Utilities/Adobe Creative Cloud"
Use Application Whitelisting
windowsConfigure Windows Defender Application Control or similar solutions to only allow execution of signed Adobe binaries.
🧯 If You Can't Patch
- Remove local user access for untrusted users on Creative Cloud systems
- Implement strict privilege separation - run Creative Cloud with limited user accounts
🔍 How to Verify
Check if Vulnerable:
Check Creative Cloud version: Open Creative Cloud app → Click three-dot menu → About Creative Cloud. If version is 5.9.1 or earlier, system is vulnerable.Check Version:
Windows: "C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" --version (if available) or check via GUI. macOS: Check via Creative Cloud GUI as command-line version check may not be available.Verify Fix Applied:
Confirm Creative Cloud version is 5.10 or later using same method. Verify no unauthorized files exist in Creative Cloud installation directories.📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution from Creative Cloud directories
- Failed attempts to write to protected Creative Cloud paths
- Security logs showing privilege escalation from Creative Cloud context
Network Indicators:
- Unusual outbound connections originating from Creative Cloud processes
- DNS requests for suspicious domains from Creative Cloud
SIEM Query:
Process Creation where (Image contains "Creative Cloud" OR ParentImage contains "Creative Cloud") AND (CommandLine contains ".dll" OR CommandLine contains ".exe" from non-Adobe paths)