New Participant

Question

Potential vulnerability issue with Adobe Acrobat Reader

Forum|Forum|10 months ago
March 17, 2025
7 replies
10943 views

Hi,

I've recently discovered that the latest version of Adobe Acrobat Reader v2025.1.20432.0 is still using vulnerable openssl library v3.0.14, however the new v3.0.16 is available. I am wondering if there is a planned fix for updating the openssl library from Adobe in order to mitigate vulnerabilities related to openssl library? Thanks in advance.

Security digital signatures and esignatures

D

David37162750fmfl

New Participant

Acrobat/Reader 25.001.20521 that was released 6/3 comes with openssl 3.0.16 and should close this vuln. Other Adobe Creative apps are still yet to be updated.

S_S

Community Manager

Hi all,

Thanks for your patience.

We are live with a new update.

Please update the app to the latest version (2025.001.205xx) and let us know if the issue is fixed.

More info here: https://adobe.ly/4kzCGWW.

Look forward to hearing from you.

Regards,
Souvik.

GermanKiwi

Participating Frequently

Hi @S. S thanks for the info, much appreciated!

Can you confirm if Lightroom and Photoshop are getting updates soon to patch their openSSL vulnerabilities too?

(See my comment here)

GermanKiwi

Participating Frequently

Hi @Tariq Ahmad Dar , thanks for continuing to pursue this with your development team for us!

Someone mentioned the same vulnerable openSSL files also existing in Photoshop and InDesign. On my own computer, I have Photoshop and Lightroom Classic, and they both have vulnerable versions of openSSL at these locations:

Path	openSSL version
C:\Program Files\Adobe\Adobe Lightroom Classic\libcrypto-3-x64.dll	3.0.15.0
C:\Program Files\Adobe\Adobe Lightroom Classic\libssl-3-x64.dll	3.0.15.0
C:\Program Files\Adobe\Adobe Photoshop 2025\libcrypto-3-x64.dll	3.0.14.0
C:\Program Files\Adobe\Adobe Photoshop 2025\libssl-3-x64.dll	3.0.14.0

Have you, or can you, also inform the respeonsible teams for Photoshop, Lightroom, and InDesign, to patch their applications too?

And are they also checking all other Adobe products for these files?

P

Patti230823519pax

New Participant

We have removed adobe products due to this. It's been months and still not fixed. My client can no longer justify the expense of their products and their inability to patch these things in a timely manner.

M

mw_wm

New Participant

Same issue.

I have updated the Acrobat Reader DC (x86) to 25.001.20474.

openssl library v3.0.15.0, CVE-2024-13176

c:\program files (x86)\adobe\acrobat reader dc\reader\plug_ins\libcrypto-3.dll

c:\program files (x86)\adobe\acrobat reader dc\reader\plug_ins\libssl-3.dll

Please help to fix the x86 version of Acrobat Reader DC. Thanks.

S

Soothing_Canvas8910Author

New Participant

The newest version 25.001.20458 of Adobe Reader now contains vulnerable openssl libraries v3.0.15 in c:\program files\adobe\Acrobat dc\acrobat\plug_ins\libcrypto-3-x64.dll and c:\program files\adobe\Acrobat dc\acrobat\plug_ins\libssl-3-x64.dll. Microsoft Security Defender gave a security reccomendation of updating to v3.0.16 two days ago. Thought that will post it here since the problem is related to the previous issue. Thanks in advance.

GermanKiwi

Participating Frequently

Yeah I was about to post the same! @Tariq Ahmad Dar can you kindly ask your dev team to please update the OpenSSL libraries to version 3.0.16 and push out another update of Adobe DC for us? Thanks! 🙂

T

Tariq Ahmad

Community Manager

Hi, @GermanKiwi - thanks for tagging me on this.
I will consult with the product team and share updates as soon as I have information.

~Tariq

damianb55375603

New Participant

I have the same with Photoshop and InDesign

JR Boulay

Adobe Expert

[MOVED TO THE ACROBAT READER DISCUSSIONS]

Acrobate du PDF, InDesigner et Photoshopographe

T

Tariq Ahmad

Community Manager

Hi @Soothing_Canvas8910,

Thanks for reaching out with your question. I really appreciate this for reporting this.

We will be checking internally with the team once we have any updates and will keep this thread updated.

Thank you for your patience.

~Tariq

J

JingsNo

New Participant

Any news on this? It's been at least a week since Adobe was made aware of this, and almost two weeks since you released an Acrobat version, with a vulnerable version of openssl (libcrypto-3-x64.dll). Adobe Acrobat Reader is currently listed as the higest ranking security threat in Microsoft Defender, in our organization. due to this. It would be nice if Adobe acknowles that this is a problem, somewhere, but as far as I can tell, this is not listet anywhere, as a "known issues", and/or as a security bulletin, but only in this forum post.
I'm not really that concerned about the security risk, but more about the noise ths creates in our security systems.

T

Tariq Ahmad

Community Manager

Hi @JingsNo - Sorry for the troubled experience.

This has been already reported internally to the product engineering team. Sadly there are no new updates that we can share publically on this issue.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded