New Participant

Question

Potential vulnerability issue with Adobe Acrobat Reader

Forum|Forum|10 months ago
March 17, 2025
7 replies
10946 views

Hi,

I've recently discovered that the latest version of Adobe Acrobat Reader v2025.1.20432.0 is still using vulnerable openssl library v3.0.14, however the new v3.0.16 is available. I am wondering if there is a planned fix for updating the openssl library from Adobe in order to mitigate vulnerabilities related to openssl library? Thanks in advance.

Security digital signatures and esignatures

D

David37162750fmfl

New Participant

Acrobat/Reader 25.001.20521 that was released 6/3 comes with openssl 3.0.16 and should close this vuln. Other Adobe Creative apps are still yet to be updated.

S_S

Community Manager

Hi all,

Thanks for your patience.

We are live with a new update.

Please update the app to the latest version (2025.001.205xx) and let us know if the issue is fixed.

More info here: https://adobe.ly/4kzCGWW.

Look forward to hearing from you.

Regards,
Souvik.

GermanKiwi

Participating Frequently

Hi @S. S thanks for the info, much appreciated!

Can you confirm if Lightroom and Photoshop are getting updates soon to patch their openSSL vulnerabilities too?

(See my comment here)

GermanKiwi

Participating Frequently

Hi @Tariq Ahmad Dar , thanks for continuing to pursue this with your development team for us!

Someone mentioned the same vulnerable openSSL files also existing in Photoshop and InDesign. On my own computer, I have Photoshop and Lightroom Classic, and they both have vulnerable versions of openSSL at these locations:

Path	openSSL version
C:\Program Files\Adobe\Adobe Lightroom Classic\libcrypto-3-x64.dll	3.0.15.0
C:\Program Files\Adobe\Adobe Lightroom Classic\libssl-3-x64.dll	3.0.15.0
C:\Program Files\Adobe\Adobe Photoshop 2025\libcrypto-3-x64.dll	3.0.14.0
C:\Program Files\Adobe\Adobe Photoshop 2025\libssl-3-x64.dll	3.0.14.0

Have you, or can you, also inform the respeonsible teams for Photoshop, Lightroom, and InDesign, to patch their applications too?

And are they also checking all other Adobe products for these files?

P

Patti230823519pax

New Participant

We have removed adobe products due to this. It's been months and still not fixed. My client can no longer justify the expense of their products and their inability to patch these things in a timely manner.

M

mw_wm

New Participant

Same issue.

I have updated the Acrobat Reader DC (x86) to 25.001.20474.

openssl library v3.0.15.0, CVE-2024-13176

c:\program files (x86)\adobe\acrobat reader dc\reader\plug_ins\libcrypto-3.dll

c:\program files (x86)\adobe\acrobat reader dc\reader\plug_ins\libssl-3.dll

Please help to fix the x86 version of Acrobat Reader DC. Thanks.

S

Soothing_Canvas8910Author

New Participant

The newest version 25.001.20458 of Adobe Reader now contains vulnerable openssl libraries v3.0.15 in c:\program files\adobe\Acrobat dc\acrobat\plug_ins\libcrypto-3-x64.dll and c:\program files\adobe\Acrobat dc\acrobat\plug_ins\libssl-3-x64.dll. Microsoft Security Defender gave a security reccomendation of updating to v3.0.16 two days ago. Thought that will post it here since the problem is related to the previous issue. Thanks in advance.

GermanKiwi

Participating Frequently

Yeah I was about to post the same! @Tariq Ahmad Dar can you kindly ask your dev team to please update the OpenSSL libraries to version 3.0.16 and push out another update of Adobe DC for us? Thanks! 🙂

T

Tariq Ahmad

Community Manager

Hi, @GermanKiwi - thanks for tagging me on this.
I will consult with the product team and share updates as soon as I have information.

~Tariq

damianb55375603

New Participant

I have the same with Photoshop and InDesign

JR Boulay

Community Expert

[MOVED TO THE ACROBAT READER DISCUSSIONS]

Acrobate du PDF, InDesigner et Photoshopographe

T

Tariq Ahmad

Community Manager

Hi @Soothing_Canvas8910,

Thanks for reaching out with your question. I really appreciate this for reporting this.

We will be checking internally with the team once we have any updates and will keep this thread updated.

Thank you for your patience.

~Tariq

GermanKiwi

Participating Frequently

Hi @Tariq Ahmad , thanks for looking into this!

I wanted to add some extra info: I'm using Microsoft 365 for Business to manage the computers within my organisation. This includes Microsoft Defender for Business, which provides additional monitoring of the computers.

Since last week, MS Defender has been flagging Acrobat Reader v2025.1.20432.0 as containing a security vulnerability due to the vulnerable version of OpenSSL it's using.

The vulnerable file itself is:

c:\program files\adobe\acrobat dc\acrobat\rdrtools\libcrypto-3-x64.dll

...and as far as I'm aware, this file didn't exist with the previous version of Acrobat Reader - I believe it's new since version 2025.1.20432.0.

I've attached screenshots here showing the details of the Microsoft Defender report.

Therefore it's likely that other business and enterprise customers who are using Microsoft 365 will be seeing this report too, since last week, and will now be considering Acrobat Reader to be a security vulnerability.

I'm sharing this with you so you're aware that this is a potentially serious concern that Adobe needs to fix sooner than later! 🙂

T

Tariq Ahmad

Community Manager

Thanks for sharing more details on this, @GermanKiwi!

Really appreciate your time for sharing the details.

~Tariq

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded