Adobe has released critical security updates addressing four vulnerabilities in Acrobat and Acrobat Reader, including two critical flaws that enable remote arbitrary code execution on affected Windows and macOS systems. Security bulletin APSB25-119, issued December 9, 2025, requires immediate patching across all current versions of Acrobat DC, Acrobat Reader DC, Acrobat 2024, and Acrobat 2020 products. While no known active exploits targeting these vulnerabilities have been documented in the wild, the critical severity ratings and arbitrary code execution capabilities necessitate urgent deployment across enterprise and individual user bases.
Two critical vulnerabilities (CVSS 7.8 severity) enable arbitrary code execution through distinct attack vectors:
CVE-2025-64785 (Untrusted Search Path): An untrusted search path vulnerability in PDF processing logic allows attackers to execute arbitrary code by manipulating application search directories. This vulnerability exploits improper path validation when loading libraries or components, enabling attackers to substitute legitimate system files with malicious code that executes with application privileges.
CVE-2025-64899 (Out-of-Bounds Read): An out-of-bounds read error in PDF data processing enables arbitrary code execution through memory corruption vulnerabilities. Attackers can craft specially malformed PDF files triggering out-of-bounds memory access, potentially enabling information disclosure or code execution through heap spray and exploitation techniques.
Both critical flaws carry identical CVSS base scores of 7.8, indicating severe risk requiring immediate remediation. These vulnerabilities potentially enable remote code execution through email-delivered PDF attachments or drive-by downloads from compromised websites.
Two additional moderate-severity vulnerabilities (CVSS 3.3 each) relate to improper verification of cryptographic signatures:
CVE-2025-64786 & CVE-2025-64787: Both moderate vulnerabilities stem from improper cryptographic signature verification in the PDF processing engine. These flaws could enable attackers to bypass security features designed to validate document authenticity and integrity, potentially allowing execution of unsigned or maliciously signed code within Acrobat environments.
The vulnerabilities affect widely deployed Acrobat and Reader versions across both major operating platforms:
| Product | Track | Affected Versions | Platforms |
|---|---|---|---|
| Acrobat DC | Continuous | 25.001.20982 and earlier | Windows & macOS |
| Acrobat Reader DC | Continuous | 25.001.20982 and earlier | Windows & macOS |
| Acrobat 2024 | Classic 2024 | Win: 24.001.30264 and earlier; Mac: 24.001.30273 and earlier | Windows & macOS |
| Acrobat 2020 | Classic 2020 | Win: 20.005.30793 and earlier; Mac: 20.005.30803 and earlier | Windows & macOS |
| Acrobat Reader 2020 | Classic 2020 | Win: 20.005.30793 and earlier; Mac: 20.005.30803 and earlier | Windows & macOS |
The broad version coverage indicates that a substantial portion of deployed Acrobat installations remain vulnerable until patches are installed.
Adobe released patched versions across all affected product tracks:
Acrobat DC and Reader DC Continuous Track: Version 25.001.20997 (Windows and macOS)
Acrobat 2024: Version 24.001.30307 (Windows) and 24.001.30308 (macOS)
Acrobat 2020 and Reader 2020: Version 20.005.30838 (both Windows and macOS)
End users can update through three primary methods:
IT administrators managing enterprise deployments should utilize their preferred deployment infrastructure:
Although Adobe reports no current known exploits targeting these vulnerabilities, the critical nature of code execution flaws combined with PDF ubiquity in business communication creates significant risk. PDF documents remain a primary attack vector for initial access operations, ransomware distribution, and targeted spear-phishing campaigns.
Enterprise security teams should prioritize Acrobat DC patching first, given its prevalence in business environments, followed by classic track user updates. The arbitrary code execution capabilities enable complete system compromise if exploited through email-delivered malicious PDF attachments or drive-by download scenarios.
Organizations unable to immediately deploy patches should consider:
Disable PDF opening in email clients: Require users to download and manually open PDFs rather than preview embedded content
File type restrictions: Implement endpoint controls preventing PDF execution from untrusted network locations
Security scanning: Deploy advanced email and file scanning solutions capable of detecting malicious PDF characteristics
User awareness: Educate users regarding risks of opening unexpected PDF attachments from unfamiliar senders
Given the critical severity and lack of known exploits (suggesting potential imminent weaponization), prompt patching represents the optimal mitigation strategy for organizations of all sizes.