Skip to main content

Adobe Acrobat Reader CVE-2025-64787

LOW
Improper Verification of Cryptographic Signature (CWE-347)
2025-12-09 psirt@adobe.com
Authentication Bypass Adobe Jwt Attack
3.3
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 28, 2026 - 03:30 vuln.today

DescriptionNVD

Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Improper Verification of Cryptographic Signature vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass cryptographic protections and gain limited unauthorized write access. Exploitation of this issue requires user interaction with a cryptographic signature.

AnalysisAI

Improper verification of cryptographic signatures in Adobe Acrobat Reader versions up to 24.001.30264, 20.005.30803, and 25.001.20982 allows local attackers to bypass cryptographic protections and gain limited unauthorized write access to PDF documents. The vulnerability requires user interaction with a malicious or crafted PDF containing an improperly signed element. With a CVSS score of 3.3 and local attack vector, this represents a low-severity security feature bypass affecting document integrity verification.

Technical ContextAI

This vulnerability stems from improper implementation of cryptographic signature verification (CWE-347) in Adobe's PDF signature validation mechanism. PDF signatures are a core security feature that authenticate document origin and detect tampering. The flaw allows an attacker to craft a PDF with a signature that fails proper cryptographic validation but is still accepted by the application, enabling unauthorized modification of signed documents. The affected products span both classic and continuous release tracks across Acrobat and Acrobat Reader product lines (CPE: adobe:acrobat*, adobe:acrobat_dc, adobe:acrobat_reader*, adobe:acrobat_reader_dc), indicating a platform-wide signature handling defect.

RemediationAI

Update Adobe Acrobat Reader to the patched versions released in APSB25-119 (versions newer than 24.001.30264, 20.005.30803, or 25.001.20982 depending on your track). Users on the classic release track should update to the next available version after their current track's affected version; continuous users should update to the latest Acrobat DC continuous release. No workarounds are available to disable signature verification without compromising document authenticity workflows. As a compensating control, restrict opening untrusted PDF documents from external sources, and educate users not to accept signature warnings or dialogs that appear unusual. Organizations should verify the legitimacy of document signatures through out-of-band channels when critical documents are involved. The patch availability has been confirmed by Adobe via APSB25-119 advisory at https://helpx.adobe.com/security/products/acrobat/apsb25-119.html.

Share

CVE-2025-64787 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy