Adobe Illustrator, Untrusted Search Path, CVE-2025-27167 (Critical)

By /

How CVE-2025-27167 Works

CVE-2025-27167 exploits an untrusted search path vulnerability in Adobe Illustrator (versions 29.2.1, 28.7.4, and earlier). When the application loads external resources (DLLs, scripts, or config files), it searches directories in an insecure order. Attackers can place malicious payloads in earlier-searched directories (e.g., C:\Temp) to hijack execution. This occurs due to improper path sanitization, allowing privilege escalation or arbitrary code execution under the application’s context. The flaw is critical as it requires no user interaction beyond opening a file.

DailyCVE Form:

Platform: Adobe Illustrator
Version: ≤29.2.1, ≤28.7.4
Vulnerability: Untrusted Search Path
Severity: Critical
Date: 03/11/2025

What Undercode Say:

Exploitation:

1. DLL Hijacking Example:

Malicious DLL (evil.dll) placed in %APPDATA%
Illustrator loads it instead of legitimate DLL
Copy-Item -Path .\evil.dll -Destination "$env:APPDATA\adobe\evil.dll"

2. Env Manipulation:

Linux/macOS (Wine/Cross-platform)
export LD_LIBRARY_PATH=/tmp/malicious_libs

Detection:

1. Audit DLL Loads:

Procmon.exe - Filter "ProcessName=illustrator.exe" "Result=NAME NOT FOUND"

2. Check Paths:

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"

Mitigation:

1. Hardened Paths:

<!-- Application Manifest (illustrator.exe.manifest) -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<application>
<windowsSettings>
<msix xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10">
<TrustedPaths>
<TrustedPath>C:\Program Files\Adobe\Illustrator\</TrustedPath>
</TrustedPaths>
</msix>
</windowsSettings>
</application>
</assembly>

2. Workarounds:

  • Disable `LOAD_LIBRARY_SEARCH_USER_DIRS` flag.
  • Block unsigned DLLs via Group Policy: 
    gpedit.msc → Computer Config → Windows Settings → Security Settings → Software Restriction Policies

3. Patch Command:

winget upgrade --id Adobe.Illustrator --version 29.2.2

References:

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-27167
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top