Potential vulnerability issue with Adobe Acrobat Reader

Report · Mar 17, 2025

Hi,

I've recently discovered that the latest version of Adobe Acrobat Reader v2025.1.20432.0 is still using vulnerable openssl library v3.0.14, however the new v3.0.16 is available. I am wondering if there is a planned fix for updating the openssl library from Adobe in order to mitigate vulnerabilities related to openssl library? Thanks in advance.

Report · May 22, 2025

Hi can we have an update on when the expected fix will be ready as many users have said this old CVE being reported by our security systems looks incredibly bad. Makes us IT professinals lok like we are not patching, updating. Leads us to convince our managers and users to move away from Adobe products.

Report · May 22, 2025

Agree.

I am curious about the vulnerability scanning tool Adobe uses internally. How did the latest Acrobat Reader DC (x86) patch update (25.001.20474) end up including the outdated and vulnerable OpenSSL library v3.0.15.0 (CVE-2024-13176)?

Report · May 22, 2025

I emailed Adobe Product Security Incident Response Team (PSIRT) team again to ask for an update. I recommend any companies dealing with this email them as well,. I'm hopeful it will get the attention it deserves from Adobe's product teams soon.

psirt@adobe.com

Report · May 08, 2025

Same issue.

I have updated the Acrobat Reader DC (x86) to 25.001.20474.

openssl library v3.0.15.0, CVE-2024-13176

c:\program files (x86)\adobe\acrobat reader dc\reader\plug_ins\libcrypto-3.dll

c:\program files (x86)\adobe\acrobat reader dc\reader\plug_ins\libssl-3.dll

Please help to fix the x86 version of Acrobat Reader DC. Thanks.

Report · May 23, 2025

Hi @Tariq Ahmad Dar , thanks for continuing to pursue this with your development team for us!

Someone mentioned the same vulnerable openSSL files also existing in Photoshop and InDesign. On my own computer, I have Photoshop and Lightroom Classic, and they both have vulnerable versions of openSSL at these locations:

Path	openSSL version
C:\Program Files\Adobe\Adobe Lightroom Classic\libcrypto-3-x64.dll	3.0.15.0
C:\Program Files\Adobe\Adobe Lightroom Classic\libssl-3-x64.dll	3.0.15.0
C:\Program Files\Adobe\Adobe Photoshop 2025\libcrypto-3-x64.dll	3.0.14.0
C:\Program Files\Adobe\Adobe Photoshop 2025\libssl-3-x64.dll	3.0.14.0

Have you, or can you, also inform the respeonsible teams for Photoshop, Lightroom, and InDesign, to patch their applications too?

And are they also checking all other Adobe products for these files?

Report · May 28, 2025

We have removed adobe products due to this. It's been months and still not fixed. My client can no longer justify the expense of their products and their inability to patch these things in a timely manner.

Report · Jun 04, 2025

Acrobat/Reader 25.001.20521 that was released 6/3 comes with openssl 3.0.16 and should close this vuln. Other Adobe Creative apps are still yet to be updated.

Report · Jun 14, 2025

Hi all,

Thanks for your patience.

We are live with a new update.

Please update the app to the latest version (2025.001.205xx) and let us know if the issue is fixed.

More info here: https://adobe.ly/4kzCGWW.

Look forward to hearing from you.

Regards,
Souvik.

Report · Jun 15, 2025

Hi @S. S thanks for the info, much appreciated!

Can you confirm if Lightroom and Photoshop are getting updates soon to patch their openSSL vulnerabilities too?

(See my comment here)

Report · Jun 16, 2025

Hi @GermanKiwi,

Thanks for the response.

I might not be the best person to comment on the other apps.

However, let me share the thread with my colleagues who would be better equipped to answer this.

I request your kind understanding and patience while the team looks into it, and gets back to you.

Regards,
Souvik.

Report · Jun 17, 2025

I had Photoshop and Illustrator update today, but looks like they still have the vulneralble OpenSSL version 3.0.14.

Report · Jun 17, 2025

Hi @GermanKiwi,

Thanks for writing in!

I have shared this with the concerned team, and they will update the thread as and when they get information from the product team.

Regards,
Souvik.