Cyber Resilience

CVE-2014-0546

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 12 August 2014

Published
12 August 2014
Modified
21 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2844 96.6th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-0546 is a critical-severity an unspecified weakness vulnerability in Adobe Acrobat. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SC-50 (Software-enforced Separation and Policy Enforcement).

Deeper analysis

Adobe Reader and Acrobat 10.x before 10.1.11 and 11.x before 11.0.08 on Windows contain a sandbox bypass vulnerability tracked as CVE-2014-0546. The flaw allows attackers to circumvent the sandbox protection mechanism and execute native code in a privileged context via unspecified vectors, carrying a CVSS 3.1 score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can exploit the issue to escape the sandbox and achieve privileged native code execution on the target system. The published description provides no further constraints on the attack delivery method beyond the unspecified vectors.

Adobe's APSB14-19 security bulletin addresses the issue by releasing updated builds that correct the sandbox bypass in the affected Reader and Acrobat products on Windows; the same advisory is referenced by multiple vulnerability trackers. No information on observed in-the-wild exploitation is supplied in the source data.

EU & UK References

Vulnerability details

Adobe Reader and Acrobat 10.x before 10.1.11 and 11.x before 11.0.08 on Windows allow attackers to bypass a sandbox protection mechanism, and consequently execute native code in a privileged context, via unspecified vectors.

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
acrobat
10.0 — 10.1.11 · 11.0 — 11.0.08
adobe
acrobat reader
10.0 — 10.1.11 · 11.0 — 11.0.08

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces software-based separation between the Reader sandbox and privileged native execution contexts, blocking the exact bypass described in CVE-2014-0546.

prevent

Requires process isolation boundaries that the vulnerability explicitly circumvents to reach privileged native code.

prevent

Limits privileges available inside the sandbox so that even a successful bypass cannot immediately yield full native execution rights.

References