Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64899

CVE-2025-64899: Adobe Acrobat RCE Vulnerability

CVE-2025-64899 is an out-of-bounds read RCE flaw in Adobe Acrobat that enables attackers to execute malicious code via crafted files. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-64899 Overview

CVE-2025-64899 is an out-of-bounds read vulnerability [CWE-125] affecting Adobe Acrobat and Acrobat Reader on Windows and macOS. The flaw exists in the file parsing logic and allows an attacker to read memory past the end of an allocated structure when a crafted document is processed. Successful exploitation can lead to arbitrary code execution in the context of the current user. Exploitation requires user interaction: the victim must open a malicious file delivered through email, web download, or another untrusted channel.

Critical Impact

An attacker who convinces a user to open a crafted PDF can execute code with the privileges of the current user, leading to full compromise of the user session on affected Windows and macOS hosts.

Affected Products

  • Adobe Acrobat and Acrobat Reader (Classic track) versions 24.001.30264, 20.005.30793 and earlier
  • Adobe Acrobat DC and Acrobat Reader DC (Continuous track) versions 25.001.20982, 24.001.30273, 20.005.30803 and earlier
  • Microsoft Windows and Apple macOS installations running the affected Acrobat builds

Discovery Timeline

  • 2025-12-09 - CVE-2025-64899 published to NVD
  • 2025-12-12 - Last updated in NVD database

Technical Details for CVE-2025-64899

Vulnerability Analysis

The vulnerability is an out-of-bounds read condition triggered during the parsing of a crafted file by Adobe Acrobat or Acrobat Reader. When the parser processes malformed structures inside the document, it reads memory beyond the bounds of an allocated buffer. The leaked memory contents and adjacent heap state can be shaped by an attacker to construct a reliable code execution primitive.

The issue is local in attack vector because the malicious file must be opened on the target system. It does not require prior authentication, but the user must be tricked into opening the document. Confidentiality, integrity, and availability are all impacted because successful exploitation yields arbitrary code execution under the current user.

Root Cause

The root cause is missing or insufficient bounds checking in a file-format parsing routine inside Acrobat. The parser trusts size or offset fields embedded in the document and dereferences memory based on those values without validating them against the actual size of the allocated structure. This is a classic [CWE-125] Out-of-Bounds Read pattern in a complex file format parser.

Attack Vector

An attacker crafts a malicious PDF or related document and delivers it to a victim through phishing, a watering-hole site, a shared drive, or another social-engineering channel. When the victim opens the document in a vulnerable Acrobat or Reader build, the parser processes the malformed structure and triggers the out-of-bounds read. The attacker uses the resulting memory disclosure and corrupted state to achieve code execution at the privilege level of the user running Acrobat.

No public proof-of-concept exploit and no confirmed in-the-wild exploitation have been reported. Refer to the Adobe Security Advisory APSB25-119 for vendor-confirmed technical details.

Detection Methods for CVE-2025-64899

Indicators of Compromise

  • Unexpected child processes spawned by Acrobat.exe, AcroRd32.exe, or AdobeAcrobat on macOS, particularly shells, scripting engines, or rundll32.exe.
  • Acrobat or Reader processes crashing with access violations shortly after opening an emailed or downloaded PDF.
  • PDF files arriving from untrusted senders containing unusually large or malformed object streams, embedded JavaScript, or non-standard cross-reference tables.

Detection Strategies

  • Hunt for process-lineage anomalies where Acrobat or Reader is the parent of command interpreters, network utilities, or persistence-related binaries.
  • Correlate PDF file writes from mail clients and browsers with subsequent Acrobat process launches and outbound network connections.
  • Monitor Windows Error Reporting and macOS crash logs for repeated faults in Acrobat parsing modules, which can indicate exploitation attempts or unstable exploit chains.

Monitoring Recommendations

  • Inventory all endpoints running Adobe Acrobat and Reader and track installed build numbers against the fixed versions listed in APSB25-119.
  • Forward endpoint process, file, and module-load telemetry to a central data lake so analysts can pivot across hosts when a suspicious PDF is identified.
  • Enable enhanced logging in mail gateways and web proxies to retain copies of PDF attachments for retrospective hunting.

How to Mitigate CVE-2025-64899

Immediate Actions Required

  • Apply the updates published in Adobe Security Advisory APSB25-119 to all affected Acrobat and Reader installations on Windows and macOS.
  • Prioritize systems used by high-risk roles such as executives, finance, HR, and legal teams that routinely open externally sourced PDFs.
  • Block or quarantine inbound PDFs from untrusted senders at the mail gateway until patching is complete.

Patch Information

Adobe released fixed builds in advisory APSB25-119. Administrators should upgrade Acrobat and Reader to versions later than 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, and 20.005.30803 on both Continuous and Classic tracks. Endpoints managed by the Adobe Update Service should be confirmed to have received the December 2025 update through inventory or configuration management tooling.

Workarounds

  • Enable Adobe Acrobat Protected View and Protected Mode so that untrusted documents open in a sandbox with reduced privileges.
  • Disable JavaScript execution in Acrobat preferences for users who do not require it, reducing the attack surface available to crafted documents.
  • Restrict opening of PDFs from email or the internet through Group Policy or mobile device management until patches are deployed.
bash
# Configuration example: disable JavaScript in Adobe Acrobat/Reader via Windows registry
reg add "HKCU\Software\Adobe\Acrobat Reader\DC\JSPrefs" /v bEnableJS /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Adobe\Adobe Acrobat\DC\JSPrefs" /v bEnableJS /t REG_DWORD /d 0 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.