2:00pm, 12 May 2021
TLP Rating:
Vulnerability in Adobe Acrobat and Reader being actively exploited
Adobe has released a patch to fix critical vulnerabilities in Adobe Acrobat and Adobe Reader. CVE-2021-28550 has been actively exploited and is a use-after-free arbitrary code execution vulnerability. This vulnerability can be exploited by opening a specially crafted PDF file in a vulnerable version of Adobe Acrobat or Adobe Reader.
CERT NZ recommends all users of these programs to immediately update Adobe Acrobat and Adobe Reader.
What's happening
Systems affected
The following software versions are affected.
- 2021.001.20150 and earlier for Acrobat DC & Acrobat Reader DC
- 2020.001.30020 and earlier for Acrobat 2020 & Acrobat Reader 2020
- 2017.011.30194 and earlier for Acrobat 2017 & Acrobat Reader 2017
What this means
If a user opens a maliciously crafted PDF file with an affected version, an attacker can execute arbitrary code on the device.
What to look for
How to tell if you're at risk
You are at risk if you use Adobe Acrobat or Adobe Reader and have not yet updated to the latest version.
What to do
Prevention
CERT NZ recommends you apply the latest software updates to Adobe Acrobat and Adobe Reader.
The following software versions have been patched.
- 2021.001.20155 and later for Acrobat DC & Acrobat Reader DC
- 2020.001.30025 and later for Acrobat 2020 & Acrobat Reader 2020
- 2017.011.30196 and later for Acrobat 2017 & Acrobat Reader 2017
For further information on how to update the software, please see Adobe’s APSB21-29 Security Bulletin. (See link below).
More information
Adobe’s Security Bulletin APSB21-29 External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident to CERT NZ External Link
For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.