Critical security updates for Acrobat and Reader are available, addressing multiple vulnerabilities that could allow attackers to execute arbitrary code and bypass essential security features.
Adobe issued security bulletin APSB25-119 on December 9, 2025, with a priority rating of 3, affecting both Windows and macOS platforms. The vulnerabilities stem from multiple weaknesses in the PDF processing engine.
| Vulnerability | Category | Impact | Severity | CVSS Score | CVE |
|---|---|---|---|---|---|
| Untrusted Search Path | CWE-426 | Arbitrary code execution | Critical | 7.8 | CVE-2025-64785 |
| Out-of-bounds Read | CWE-125 | Arbitrary code execution | Critical | 7.8 | CVE-2025-64899 |
| Improper Verification of Cryptographic Signature | CWE-347 | Security feature bypass | Moderate | 3.3 | CVE-2025-64786 |
| Improper Verification of Cryptographic Signature | CWE-347 | Security feature bypass | Moderate | 3.3 | CVE-2025-64787 |
How Attackers Could Exploit the Flaws
Two critical flaws enable arbitrary code execution through untrusted search path vulnerabilities and out-of-bounds read errors. These issues carry a CVSS base score of 7.8, indicating severe risk to users.
Two additional moderate vulnerabilities related to improper verification of cryptographic signatures could allow attackers to bypass security features, each with a CVSS score of 3.3.
The affected products include Acrobat DC, Acrobat Reader DC, Acrobat 2024, Acrobat 2020, and Acrobat Reader 2020 across all current versions.
| Product | Track | Affected Versions | Platform |
|---|---|---|---|
| Acrobat DC | Continuous | 25.001.20982 and earlier | Windows & macOS |
| Acrobat Reader DC | Continuous | 25.001.20982 and earlier | Windows & macOS |
| Acrobat 2024 | Classic 2024 | Win – 24.001.30264 and earlier; Mac – 24.001.30273 and earlier | Windows & macOS |
| Acrobat 2020 | Classic 2020 | Win – 20.005.30793 and earlier; Mac – 20.005.30803 and earlier | Windows & macOS |
| Acrobat Reader 2020 | Classic 2020 | Win – 20.005.30793 and earlier; Mac – 20.005.30803 and earlier | Windows & macOS |
Adobe recommends installing the latest versions immediately. Users can update manually through Help > Check for Updates, or allow automatic updates to install security patches without intervention.
The updated versions include Acrobat DC and Reader DC 25.001.20997, Acrobat 2024 versions 24.001.30307 (Windows) and 24.001.30308 (macOS), and Acrobat 2020 versions 20.005.30838 across both platforms.
IT administrators should deploy updates using their preferred method, such as AIP-GPO, bootstrapper, or SCCM, for Windows environments.
Currently, Adobe reports no known exploits targeting these vulnerabilities in the wild. However, the critical nature of the flaws and their potential for remote execution make prompt patching essential.
Organizations should prioritize updating all affected Acrobat installations to prevent potential compromise.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
