CVE-2025-27161
Published: 11 March 2025
Summary
CVE-2025-27161 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Adobe Acrobat. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of known flaws like this out-of-bounds read vulnerability in vulnerable Acrobat Reader versions.
Enables scanning to identify systems running affected Acrobat Reader versions exposed to this CVE.
Implements memory protections such as ASLR and DEP to mitigate code execution from the out-of-bounds read exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The out-of-bounds read in Adobe Acrobat Reader enables arbitrary code execution upon opening a crafted malicious file, directly mapping to client-side exploitation (T1203) and user execution of a malicious file (T1204.002).
NVD Description
Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability…
more
to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Deeper analysisAI
CVE-2025-27161 is an out-of-bounds read vulnerability (CWE-125) affecting Adobe Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428, and earlier. The issue arises when parsing a crafted file, which could result in a read past the end of an allocated memory structure. Published on 2025-03-11, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by an attacker who tricks a victim into opening a malicious file, requiring local access and user interaction but no special privileges. Successful exploitation allows arbitrary code execution in the context of the current user, potentially leading to full compromise of the victim's system with high impacts on confidentiality, integrity, and availability.
Adobe's security bulletin APSB25-14 provides details on mitigation and available patches: https://helpx.adobe.com/security/products/acrobat/apsb25-14.html.
Details
- CWE(s)