CVE-2025-43573
📋 TL;DR
A use-after-free vulnerability in Adobe Acrobat Reader allows arbitrary code execution when a user opens a malicious PDF file. This affects users running vulnerable versions of Acrobat Reader on any operating system. Successful exploitation requires user interaction but grants attacker code execution with the victim's privileges.
💻 Affected Systems
- Adobe Acrobat Reader DC
- Adobe Acrobat Reader
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's computer, enabling data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Malware installation leading to data exfiltration, credential theft, or system disruption for individual users who open malicious PDFs.
If Mitigated
No impact if users avoid opening untrusted PDFs or if security controls block malicious files before they reach users.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). No public exploit code is currently available according to the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to versions 24.002.30235, 20.005.30764, or 25.002.20522 or later
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb25-57.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to download and install the latest version. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allPrevents JavaScript-based exploitation vectors that might be used in conjunction with this vulnerability
Edit > Preferences > JavaScript > Uncheck 'Enable JavaScript'
Use Protected View for untrusted files
windowsForces PDFs from untrusted sources to open in sandboxed Protected View mode
Edit > Preferences > Security (Enhanced) > Enable Protected View for all files from potentially unsafe locations
🧯 If You Can't Patch
- Block PDF files from untrusted sources at email gateways and web proxies
- Implement application whitelisting to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check Adobe Acrobat Reader version via Help > About Adobe Acrobat Reader DCCheck Version:
On Windows: Get-ItemProperty "HKLM:\SOFTWARE\Adobe\Acrobat Reader\DC\Installer" | Select-Object -ExpandProperty VersionVerify Fix Applied:
Verify version is 24.002.30235 or higher (Continuous track), 20.005.30764 or higher (Classic 2020 track), or 25.002.20522 or higher📡 Detection & Monitoring
Log Indicators:
- Adobe Reader crash logs with memory access violations
- Windows Event Logs showing unexpected process creation from AcroRd32.exe
Network Indicators:
- Unexpected outbound connections from Adobe Reader process
- DNS requests for known malicious domains following PDF file access
SIEM Query:
process_name:"AcroRd32.exe" AND (event_id:1 OR parent_process_name:"AcroRd32.exe")