CVE-2025-43576: Adobe Acrobat DC RCE Vulnerability

CVE-2025-43576 Overview

CVE-2025-43576 is a Use After Free vulnerability [CWE-416] affecting Adobe Acrobat and Acrobat Reader on Windows and macOS. Successful exploitation allows arbitrary code execution in the context of the current user. Adobe Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected. Exploitation requires user interaction, meaning a victim must open a malicious PDF file. Adobe addressed the issue in security advisory APSB25-57. Talos researchers published technical details in vulnerability report TALOS-2025-2170.

Critical Impact

A specially crafted PDF can trigger memory reuse after deallocation, enabling attackers to execute arbitrary code with the privileges of the user opening the document.

Affected Products

• Adobe Acrobat DC (Continuous track) — versions 24.001.30235 and earlier
• Adobe Acrobat Reader DC (Continuous track) — versions 25.001.20521 and earlier
• Adobe Acrobat / Acrobat Reader (Classic track) — versions 20.005.30763 and earlier on Windows and macOS

Discovery Timeline

• 2025-06-10 - CVE-2025-43576 published to NVD
• 2025-06-27 - Last updated in NVD database

Technical Details for CVE-2025-43576

Vulnerability Analysis

The vulnerability is a Use After Free condition in Adobe Acrobat and Acrobat Reader. A Use After Free occurs when an application continues to reference memory after that memory has been released back to the allocator. When the attacker controls the contents of the reallocated chunk, dereferencing the dangling pointer can hijack control flow.

In the context of Acrobat Reader, the flaw is reached during the parsing or rendering of a malicious PDF document. The reader operates with user-level privileges, so successful exploitation yields code execution at that privilege level. Local user interaction is required because the victim must open the crafted file.

Root Cause

The defect is categorized under CWE-416: Use After Free. An object referenced during PDF processing is freed before all pointers to it are cleared. Subsequent operations dereference the stale pointer, allowing the heap state to be manipulated by content embedded in the PDF. Adobe has not published the specific function involved. Refer to the Talos Vulnerability Report TALOS-2025-2170 for additional technical detail.

Attack Vector

The attack vector is local and requires user interaction. An attacker must deliver a malicious PDF to a target, typically through email attachments, drive-by downloads, or shared file repositories. When the user opens the file in an unpatched version of Acrobat or Reader, the parser triggers the freed-memory access. Code execution occurs in the user's security context. No authentication is required on the affected system beyond the user opening the document.

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-43576

Indicators of Compromise

• Unexpected child processes spawned by Acrobat.exe or AcroRd32.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
• Acrobat or Reader processes performing outbound network connections to unfamiliar hosts shortly after a PDF is opened.
• Crash events or Windows Error Reporting entries referencing access violations inside Acrobat modules.
• PDF files containing heavily obfuscated JavaScript, malformed objects, or unusual stream filters arriving from untrusted senders.

Detection Strategies

• Hunt for process lineage where Acrobat or Reader is the parent of shell, scripting, or LOLBin processes.
• Monitor for write activity by Acrobat processes to directories used for persistence such as %APPDATA%, %TEMP%, and Startup folders.
• Inspect PDF samples in sandboxed environments and alert on heap corruption indicators or anomalous object structures.

Monitoring Recommendations

• Centralize endpoint telemetry covering process creation, image loads, and module memory protection changes for Acrobat binaries.
• Track installed Acrobat and Reader versions across the fleet and alert on hosts running builds older than the fixed releases.
• Enable email gateway scanning and detonation for PDF attachments originating from external senders.

How to Mitigate CVE-2025-43576

Immediate Actions Required

• Update Adobe Acrobat and Acrobat Reader to the fixed versions identified in Adobe Security Advisory APSB25-57.
• Inventory all endpoints running Acrobat or Reader and prioritize patching for users who routinely handle external PDFs.
• Restrict execution of PDF readers other than the supported, patched build through application control policies.

Patch Information

Adobe released fixed versions in advisory APSB25-57 on the June 2025 Patch Tuesday cycle. Administrators should deploy the latest Continuous and Classic track updates through Adobe Update Manager, SCCM, Intune, Jamf, or equivalent enterprise software distribution platforms. Verify update success by checking the application version under Help > About Adobe Acrobat.

Workarounds

• Enable Protected View and Protected Mode in Acrobat and Reader to sandbox PDF rendering for files from untrusted sources.
• Disable JavaScript execution in Acrobat through Preferences > JavaScript > Enable Acrobat JavaScript until patching is complete.
• Block or quarantine inbound PDF attachments from external senders at the email gateway when patching cannot be completed promptly.
• Train users to avoid opening unexpected PDF attachments and to report suspicious documents to the security team.

# Configuration example: disable Acrobat JavaScript via Windows registry (HKLM)
reg add "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bDisableJavaScript /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown" /v bDisableJavaScript /t REG_DWORD /d 1 /f

# Enforce Protected View for all files
reg add "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v iProtectedView /t REG_DWORD /d 2 /f