CVE-2014-0546
Published: 12 August 2014
Summary
CVE-2014-0546 is a critical-severity an unspecified weakness vulnerability in Adobe Acrobat. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SC-50 (Software-enforced Separation and Policy Enforcement).
Deeper analysis
Adobe Reader and Acrobat 10.x before 10.1.11 and 11.x before 11.0.08 on Windows contain a sandbox bypass vulnerability tracked as CVE-2014-0546. The flaw allows attackers to circumvent the sandbox protection mechanism and execute native code in a privileged context via unspecified vectors, carrying a CVSS 3.1 score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can exploit the issue to escape the sandbox and achieve privileged native code execution on the target system. The published description provides no further constraints on the attack delivery method beyond the unspecified vectors.
Adobe's APSB14-19 security bulletin addresses the issue by releasing updated builds that correct the sandbox bypass in the affected Reader and Acrobat products on Windows; the same advisory is referenced by multiple vulnerability trackers. No information on observed in-the-wild exploitation is supplied in the source data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2014-0577
Vulnerability details
Adobe Reader and Acrobat 10.x before 10.1.11 and 11.x before 11.0.08 on Windows allow attackers to bypass a sandbox protection mechanism, and consequently execute native code in a privileged context, via unspecified vectors.
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces software-based separation between the Reader sandbox and privileged native execution contexts, blocking the exact bypass described in CVE-2014-0546.
Requires process isolation boundaries that the vulnerability explicitly circumvents to reach privileged native code.
Limits privileges available inside the sandbox so that even a successful bypass cannot immediately yield full native execution rights.