---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Critical Vulnerabilities in Adobe Acrobat Software'
version: '1.0'
number: '2021-024'
date: 'May 12, 2021'
---

_History:_

* _12/05/2021 --- v1.0 -- Initial publication_

# Summary

Adobe has released 12 updates addressing 44 vulnerabilities in Experience Manager, InDesign, Illustrator, InCopy, Adobe Genuine Service, Acrobat and Reader, Magento, Creative Cloud Desktop, Media Encoder, After Effects, Medium, and Animate [1, 4]. The  most critical of them -- CVE-2021-28550 -- may allow attackers to remotely execute code [3].

# Technical Details

This advisory only describes the most **critical** vulnerability **CVE-2021-28550**, because Adobe has received a report that CVE-2021-28550 vulnerability **has been exploited** in the wild in limited attacks targeting Adobe Reader users on Windows.

In addition, Adobe has not provided any technical details about the attacks, but this vulnerability could be exploited by an attacker by tricking victims into opening specially crafted PDF with an affected version of Acrobat Reader [2, 5].

## Priority and Severity Rating for **CVE-2021-28550**

* Priority - 1 (Highest): this update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours) [3]. 
* Severity - Critical (Highest): a vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware [3]. 

# Affected Products

The following products could be affected by the vulnerability [2]:

| Product           | Affected Versions                    | Platform        |
| :---------------: | :------------------------------------| :-------------: |
| Acrobat DC        | 2021.001.20150 and earlier versions  | Windows         |
| Acrobat Reader DC | 2021.001.20150 and earlier versions  | Windows         |
| Acrobat DC        | 2021.001.20149 and earlier versions  | MacOS           |
| Acrobat Reader DC | 2021.001.20149 and earlier versions  | MacOS           |
| Acrobat 2020      | 2020.001.30020 and earlier versions  | Windows & macOS |
| Acrobat DC        | 2020.001.30020 and earlier versions  | Windows & macOS |
| Acrobat 2017      | 2017.011.30194  and earlier versions | Windows & macOS |
| Acrobat DC        | 2017.011.30194  and earlier versions | Windows & macOS |                                                                     


# Recommendations

It is recommended to update all affected software to the latest versions.

# References

[1] <https://helpx.adobe.com/security.html>

[2] <https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>

[3] <https://helpx.adobe.com/security/severity-ratings.html>

[4] <https://www.zerodayinitiative.com/blog/2021/5/11/the-may-2021-security-update-review>

[5] <https://securityaffairs.co/wordpress/117792/security/windows-zero-day-4.html>