CVE-2021-28550

What is Adobe Acrobat and Reader?

Adobe Acrobat and Reader are the dominant PDF processing applications, installed on hundreds of millions of Windows and macOS systems globally. Adobe Reader is frequently pre-installed on corporate systems for PDF viewing, while Acrobat adds PDF creation and editing. The PDF format is a common document type for business communications, invoices, contracts, and reports — making it a natural delivery vector for malware. Adobe PDF processing involves complex parsing of multimedia, JavaScript, font, and image content within the PDF format; memory corruption vulnerabilities in this parsing code can be triggered simply by opening a malicious PDF, enabling code execution in the context of the Reader process.

Overview

CVE-2021-28550 is a use-after-free vulnerability (CWE-416) in Adobe Acrobat and Reader that enables code execution when a victim opens a specially crafted PDF. Adobe patched this in APSB21-29 (May 11, 2021), acknowledging active exploitation in the wild against Adobe Reader users on Windows — a confirmed zero-day. The vulnerability was exploited in targeted phishing campaigns: malicious PDFs delivered via email or web download trigger the UAF, executing attacker-supplied code in the context of the Reader process. CISA added it to KEV in November 2021.

Affected Versions

Technical Details

• Root cause: Use-after-free (CWE-416) in Adobe Acrobat/Reader's PDF rendering engine — a PDF processing object is freed while a reference to it remains active, allowing heap corruption when the dangling reference is subsequently used
• Exploitation: Attacker-controlled PDF content triggers the UAF condition in Acrobat's rendering pipeline, corrupting heap memory in a controlled way to redirect code execution to attacker-supplied shellcode or ROP chain
• Delivery: Malicious PDF delivered via email attachment, web download, or malicious link (UI:R — user must open the PDF); no JavaScript execution required for the initial trigger
• Code execution context: Arbitrary code executes in the context of the Acrobat/Reader process, running with the privileges of the logged-in user — sufficient for malware installation, credential theft, lateral movement, and persistence
• Windows-targeted: Adobe specifically noted exploitation targeting Reader on Windows, though the vulnerability affects both Windows and macOS builds
• APSB21-29 zero-day acknowledgment: Adobe's explicit confirmation of limited in-the-wild exploitation before patching classifies this as a zero-day at time of patch

Discovery

Discovered during analysis of active exploitation targeting Adobe Reader users on Windows. Adobe patched it on May 11, 2021, the same day as Microsoft's May 2021 Patch Tuesday, with immediate acknowledgment of active exploitation.

Exploitation Context

Malicious PDF files remain one of the most reliable initial access vectors for targeted attacks because PDFs are ubiquitous business documents that employees routinely open from email. A zero-day in Adobe Reader allows threat actors to bypass file-based security controls that rely on known vulnerability signatures. The limited targeting described by Adobe at disclosure time (targeting Windows Reader users) is consistent with targeted spear-phishing or watering-hole campaigns, likely by a nation-state or advanced cybercriminal group.

Remediation

1. Update Adobe Acrobat and Reader to 2021.001.20155 (Acrobat DC) or the equivalent fixed version for your track via Help → Check for Updates
2. Enable Adobe's protected mode (sandbox): Edit → Preferences → Security (Enhanced) → Enable Protected Mode at Startup
3. Configure Adobe Reader to not execute JavaScript in PDFs from untrusted sources: Edit → Preferences → JavaScript → Uncheck "Enable Acrobat JavaScript"
4. Deploy endpoint protection with PDF-specific behavioral detection to catch exploitation attempts even from zero-day PDFs
5. Configure email gateways to sandbox PDFs before delivery to end users (Microsoft Defender for Office 365 Safe Attachments, Proofpoint, etc.)