CVE-2025-64785: Adobe Acrobat RCE Vulnerability

CVE-2025-64785 Overview

CVE-2025-64785 is an Untrusted Search Path vulnerability [CWE-426] affecting multiple versions of Adobe Acrobat and Acrobat Reader. The affected versions include 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803, and earlier releases across both Classic and Continuous tracks. Attackers can leverage the flaw to execute arbitrary code in the context of the current user when the application loads a malicious resource from an attacker-controlled search path. Exploitation requires user interaction — specifically, the user must open a malicious file. The vulnerability impacts Acrobat installations on both Microsoft Windows and Apple macOS platforms.

Critical Impact

Successful exploitation results in arbitrary code execution with the privileges of the current user, enabling local compromise, persistence, and lateral movement on affected systems.

Affected Products

• Adobe Acrobat (Classic track) versions 24.001.30264, 24.001.30273, 20.005.30793, 20.005.30803, and earlier
• Adobe Acrobat DC and Acrobat Reader DC (Continuous track) version 25.001.20982 and earlier
• Adobe Acrobat and Acrobat Reader installations on Microsoft Windows and Apple macOS

Discovery Timeline

• 2025-12-09 - CVE-2025-64785 published to NVD
• 2026-04-28 - Last updated in NVD database

Technical Details for CVE-2025-64785

Vulnerability Analysis

The vulnerability stems from how Adobe Acrobat and Acrobat Reader resolve paths to external resources at runtime. When the application searches for critical resources such as dynamic libraries, helper executables, or supporting modules, it consults a search path that an attacker can influence. If an attacker plants a malicious file in a directory that appears earlier in the resolution order than the legitimate location, the application loads the attacker-supplied binary instead. The injected code then runs inside the Acrobat process with the rights of the current user. Because Acrobat is widely deployed and frequently used to open documents from untrusted sources, this class of flaw is well-suited for staged document-based attacks.

Root Cause

The root cause is improper control over a search path used to locate resources, classified under [CWE-426] Untrusted Search Path. Acrobat does not adequately constrain or validate the directories it inspects when loading dependent components. An attacker who can write to a directory included in that search path — or who can deliver a document package that places adjacent files in a writable location — can substitute a malicious resource for a trusted one.

Attack Vector

Exploitation is local and requires user interaction. The typical attack chain involves delivering a crafted PDF or accompanying file via email, web download, or shared storage. When the victim opens the file in a vulnerable Acrobat or Reader build, Acrobat resolves a required resource through the influenced search path and loads the attacker's payload. Code execution occurs without additional privilege escalation steps, inheriting the privileges of the logged-on user. No verified public proof-of-concept code is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-64785

Indicators of Compromise

• Unexpected dynamic link libraries (DLLs) or shared objects appearing in directories adjacent to Acrobat installation paths or recently opened document locations.
• Acrobat or Reader processes (Acrobat.exe, AcroRd32.exe) spawning child processes such as cmd.exe, powershell.exe, or bash shortly after a document is opened.
• Write events to user-writable directories within or near the Acrobat application path immediately preceding document open events.

Detection Strategies

• Hunt for module-load events where Acrobat loads non-Adobe-signed binaries from unusual directories, particularly user profile or temporary paths.
• Correlate file-write events for .dll, .dylib, or executable files in directories accessible to Acrobat with subsequent Acrobat process launches.
• Inspect command-line ancestry to identify Acrobat-initiated execution chains that deviate from documented application behavior.

Monitoring Recommendations

• Enable detailed process creation logging (Windows Event ID 4688 with command line, or execve auditing on macOS) for Acrobat binaries.
• Monitor image load events for Acrobat processes and alert on unsigned or non-Adobe-signed modules.
• Track PDF delivery channels — email gateways, web proxies, and file shares — and review attachments paired with adjacent loose files that could populate a search path.

How to Mitigate CVE-2025-64785

Immediate Actions Required

• Apply Adobe's security updates referenced in Adobe Acrobat Security Advisory APSB25-119 to all affected Acrobat and Reader installations.
• Inventory endpoints running Acrobat or Reader on Windows and macOS, prioritizing systems that process documents from external sources.
• Restrict write permissions on directories included in Acrobat's resource search paths to prevent unprivileged users from planting malicious files.

Patch Information

Adobe addressed CVE-2025-64785 in the security update described in advisory APSB25-119. Administrators should upgrade beyond the affected builds 24.001.30264, 24.001.30273, 20.005.30793, 20.005.30803, and 25.001.20982. Refer to the Adobe Acrobat Security Advisory for fixed version numbers and download locations.

Workarounds

• Open PDFs only from trusted sources and disable automatic opening of PDF attachments in mail clients until patches are deployed.
• Enable Protected View and Protected Mode in Acrobat to reduce the impact of malicious documents on unpatched endpoints.
• Use application allowlisting to prevent Acrobat from loading unsigned or unexpected modules from user-writable locations.

# Configuration example: enforce Protected Mode and Protected View on Windows via registry
reg add "HKCU\Software\Adobe\Acrobat Reader\DC\Privileged" /v bProtectedMode /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Adobe\Acrobat Reader\DC\TrustManager" /v iProtectedView /t REG_DWORD /d 2 /f