CVE-2025-64785 is an Untrusted Search Path vulnerability (CWE-426) identified in Adobe Acrobat Reader versions 20.005.30793, 24.001.30264, 24.001.30273, 25.001.20982, and earlier. This vulnerability arises when Acrobat Reader uses a search path to locate critical resources, such as executable programs or libraries, without properly validating or securing the path. An attacker with local access can manipulate the search path environment or place malicious executables in directories that are searched before the legitimate ones. As a result, when Acrobat Reader attempts to load a resource, it may inadvertently execute the attacker's code under the context of the current user. The vulnerability does not require user interaction, increasing the risk of silent exploitation. The CVSS 3.1 base score is 7.8, indicating high severity, with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:R). The impact on confidentiality, integrity, and availability is high, as arbitrary code execution can lead to data theft, system compromise, or denial of service. Although no public exploits are known yet, the vulnerability is significant due to the widespread use of Acrobat Reader in enterprise and consumer environments. The lack of available patches at the time of publication necessitates immediate mitigation efforts to reduce risk.

For European organizations, this vulnerability poses a substantial risk because Adobe Acrobat Reader is widely used across various sectors including government, finance, healthcare, and critical infrastructure. Successful exploitation can lead to arbitrary code execution, allowing attackers to steal sensitive information, alter or destroy data, or disrupt business operations. The fact that exploitation does not require elevated privileges or user interaction increases the threat level, especially in environments where local access can be gained through other means such as phishing, insider threats, or compromised endpoints. Organizations handling sensitive personal data under GDPR may face compliance risks and financial penalties if breaches occur. Additionally, critical infrastructure operators could experience operational disruptions, potentially impacting public safety and economic stability. The vulnerability's local attack vector means that attackers need some level of access, but once inside, they can escalate their foothold significantly. This makes it a valuable tool for lateral movement in targeted attacks or ransomware campaigns.

1. Monitor Adobe's official channels for patches and apply them immediately once available. 2. Until patches are released, restrict write permissions on directories included in Acrobat Reader's search path to prevent unauthorized modification or insertion of malicious executables. 3. Implement application whitelisting to ensure only trusted executables can run, limiting the ability of attackers to execute arbitrary code. 4. Employ endpoint detection and response (EDR) solutions to monitor for suspicious process creation or unusual file system changes related to Acrobat Reader. 5. Educate users about the risks of local access compromise and enforce strong access controls, including least privilege principles, to reduce the likelihood of attackers gaining local access. 6. Regularly audit and harden system environment variables and search paths to prevent manipulation. 7. Use sandboxing or containerization for Acrobat Reader where feasible to limit the impact of potential exploitation. 8. Maintain up-to-date backups and incident response plans to quickly recover from any compromise.