CVE-2025-64785
📋 TL;DR
This CVE describes an untrusted search path vulnerability in Adobe Acrobat Reader that allows attackers to execute arbitrary code without user interaction. By manipulating the search path used by Acrobat Reader to locate critical resources, attackers can trick the application into loading malicious programs. This affects users running vulnerable versions of Acrobat Reader on Windows systems.
💻 Affected Systems
- Adobe Acrobat Reader DC
- Adobe Acrobat Reader 2020
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation or execution of malicious payloads within the user context, enabling credential theft, lateral movement, or data exfiltration.
If Mitigated
Limited impact with proper application whitelisting and least privilege controls preventing successful code execution.
🎯 Exploit Status
Exploitation requires ability to modify the search path, which typically means some level of local access or privilege. No user interaction needed once path is modified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to versions after those listed in affected versions
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb25-119.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to download and install latest version. 4. Restart computer after installation completes.
🔧 Temporary Workarounds
Restrict DLL Search Path
windowsConfigure Windows to restrict DLL search path to prevent loading from current directory
Set registry key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\CWDIllegalInDllSearch to 0xFFFFFFFF
Application Whitelisting
windowsImplement application control policies to prevent execution of unauthorized programs
🧯 If You Can't Patch
- Implement least privilege principles - ensure users don't have administrative rights
- Use application control solutions to restrict which programs can execute
🔍 How to Verify
Check if Vulnerable:
Check Adobe Acrobat Reader version via Help > About Adobe Acrobat Reader DC and compare to affected versions listCheck Version:
wmic product where "name like 'Adobe Acrobat Reader%'" get versionVerify Fix Applied:
Verify version is newer than affected versions and check that automatic updates are enabled📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing Acrobat Reader loading DLLs from unusual locations
- Process creation events from Acrobat Reader spawning unexpected child processes
Network Indicators:
- Unusual outbound connections from Acrobat Reader process
SIEM Query:
Process creation where parent_process_name contains 'Acro' and (process_path contains 'temp' or process_path contains 'appdata')