Potential vulnerability issue with Adobe Acrobat Reader

Hi @Tariq Ahmad , thanks for looking into this!

I wanted to add some extra info: I'm using Microsoft 365 for Business to manage the computers within my organisation. This includes Microsoft Defender for Business, which provides additional monitoring of the computers.

Since last week, MS Defender has been flagging Acrobat Reader v2025.1.20432.0 as containing a security vulnerability due to the vulnerable version of OpenSSL it's using.

The vulnerable file itself is:

c:\program files\adobe\acrobat dc\acrobat\rdrtools\libcrypto-3-x64.dll

...and as far as I'm aware, this file didn't exist with the previous version of Acrobat Reader - I believe it's new since version 2025.1.20432.0.

I've attached screenshots here showing the details of the Microsoft Defender report.

Therefore it's likely that other business and enterprise customers who are using Microsoft 365 will be seeing this report too, since last week, and will now be considering Acrobat Reader to be a security vulnerability.

I'm sharing this with you so you're aware that this is a potentially serious concern that Adobe needs to fix sooner than later! 🙂

Thanks for sharing more details on this, @GermanKiwi! 

Really appreciate your time for sharing the details.

~Tariq 

In addition to c:\program files\adobe\acrobat dc\acrobat\rdrtools\libcrypto-3-x64.dll , also path c:\program files\adobe\acrobat dc\acrobat\tools\libcrypto-3-x64.dll contains the vulnerable file

in Photoshop we have issue with below paths :

Any news on this? It's been at least a week since Adobe was made aware of this, and almost two weeks since you released an Acrobat version, with a vulnerable version of openssl (libcrypto-3-x64.dll). Adobe Acrobat Reader is currently listed as the higest ranking security threat in Microsoft Defender, in our organization. due to this. It would be nice if Adobe acknowles that this is a problem, somewhere, but as far as I can tell, this is not listet anywhere, as a "known issues", and/or as a security bulletin, but only in this forum post.
I'm not really that concerned about the security risk, but more about the noise ths creates in our security systems.

Hi @JingsNo - Sorry for the troubled experience. 

This has been already reported internally to the product engineering team. Sadly there are no new updates that we can share publically on this issue. 

Has there been any update @Tariq Ahmad ? 

@Tariq Ahmad Any further news? Our management does not like seeing this vulnerability on our systems.  We are not comfortable accepting this risk. Eventually, they will select an alternative product and move on. 

Hi, 

Adobe Acrobat Reader, release of March 12, 2025, version 25.001.20432

is distributed with:

Any updates regarding this? All of our systems with Adobe Reader are all flagging the OpenSSL vulnerability for path "c:\program files\adobe\acrobat dc\acrobat\rdrtools\libcrypto-3-x64.dll"

Adobe PSIRT team stated on 4/4: "Acrobat Desktop fixes the vulnerable 3rd party libraries at a regular cadence. Openssl will be upgraded to the latest version during their next release."

Any estimate on when the next release will take place? We are hoping to clean up our vulnerability reporting as it's currently flagging nearly every workstation in our org. 

A new update popped out today with version 25.001.20458 of Adobe Reader fixing the openssl library version to the newest one v3.0.16 in rdrtools path.

@Soothing_Canvas8910 awesome! Thanks for confirming this.

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\libcrypto-3.dll

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\libssl-3.dll 

still on 3.0.15 @Tariq Ahmad when it´s planned to update this libraries too?

Yeah I was about to post the same! @Tariq Ahmad Dar can you kindly ask your dev team to please update the OpenSSL libraries to version 3.0.16 and push out another update of Adobe DC for us? Thanks! 🙂

Hi, @GermanKiwi - thanks for tagging me on this.
I will consult with the product team and share updates as soon as I have information. 

Dear @Tariq Ahmad could you please share an update, its been escalated by Auditor from State Government. 

Just to add my voice to the chorus - I also need an update on when Adobe will updating the open ssl plugin.

It appears to impact most Adobe Products

@Tariq Ahmad Dar Can you please provide an update in this discussion

Hi @Kovac_NZ,

Sorry, no updates I am aware of. I am checking internally with the product engineering.