Critical Adobe Acrobat Reader Vulnerabilities Expose Users to Arbitrary Code Execution and Security Bypasses
Adobe has recently released a security bulletin addressing multiple vulnerabilities in its Acrobat and Reader software, which could potentially allow attackers to execute arbitrary code and bypass critical security features. These vulnerabilities affect both Windows and macOS platforms, underscoring the importance of prompt updates to maintain system security.
Overview of the Vulnerabilities
On December 9, 2025, Adobe issued security bulletin APSB25-119, highlighting several critical and moderate vulnerabilities within Acrobat and Reader. The most severe of these vulnerabilities include:
– Untrusted Search Path (CWE-426): This critical flaw, identified as CVE-2025-64785, allows for arbitrary code execution. It has been assigned a CVSS base score of 7.8, indicating a high level of severity.
– Out-of-Bounds Read (CWE-125): Another critical vulnerability, CVE-2025-64899, also enables arbitrary code execution with a CVSS base score of 7.8.
– Improper Verification of Cryptographic Signature (CWE-347): Two moderate vulnerabilities, CVE-2025-64786 and CVE-2025-64787, could lead to security feature bypasses. Each has been assigned a CVSS base score of 3.3.
Potential Exploitation Scenarios
The critical vulnerabilities (CVE-2025-64785 and CVE-2025-64899) pose significant risks as they can be exploited to execute arbitrary code on a user’s system. This could occur if a user opens a maliciously crafted PDF file, leading to unauthorized actions such as data theft, system compromise, or further malware installation.
The moderate vulnerabilities (CVE-2025-64786 and CVE-2025-64787) involve improper verification of cryptographic signatures. Exploitation of these flaws could allow attackers to bypass security features, potentially leading to unauthorized access or data manipulation.
Affected Products and Versions
The vulnerabilities impact multiple versions of Adobe Acrobat and Reader across different platforms:
– Acrobat DC (Continuous): Versions 25.001.20982 and earlier on Windows and macOS.
– Acrobat Reader DC (Continuous): Versions 25.001.20982 and earlier on Windows and macOS.
– Acrobat 2024 (Classic 2024): Windows versions 24.001.30264 and earlier; macOS versions 24.001.30273 and earlier.
– Acrobat 2020 (Classic 2020): Windows versions 20.005.30793 and earlier; macOS versions 20.005.30803 and earlier.
– Acrobat Reader 2020 (Classic 2020): Windows versions 20.005.30793 and earlier; macOS versions 20.005.30803 and earlier.
Recommended Actions
Adobe strongly recommends that users update their software to the latest versions to mitigate these vulnerabilities. Users can update manually by navigating to Help > Check for Updates within the application. Alternatively, enabling automatic updates ensures that security patches are applied promptly without user intervention.
The updated versions addressing these vulnerabilities are:
– Acrobat DC and Reader DC: Version 25.001.20997.
– Acrobat 2024: Version 24.001.30307 for Windows and 24.001.30308 for macOS.
– Acrobat 2020: Version 20.005.30838 for both Windows and macOS.
IT administrators are advised to deploy these updates using their preferred methods, such as AIP-GPO, bootstrapper, or SCCM, particularly in Windows environments.
Current Threat Landscape
As of now, Adobe reports no known exploits targeting these vulnerabilities in the wild. However, given the critical nature of these flaws and their potential for remote code execution, it is imperative for users and organizations to apply the updates without delay to prevent potential security breaches.
Conclusion
The discovery of these vulnerabilities in Adobe Acrobat and Reader underscores the ongoing need for vigilance in software security. By promptly updating to the latest versions, users can protect themselves against potential exploits that could lead to arbitrary code execution and security feature bypasses. Regular software updates and adherence to security best practices remain essential components of a robust cybersecurity strategy.
