Adobe Patches 24 Critical RCE Vulnerabilities

Adobe has patched 43 vulnerabilities on April 2019 Patch Tuesday. 24 of the vulnerabilities have been rated critical and are remote code execution vulnerabilities. They are present in Acrobat Reader, Adobe Shockwave Player, and Adobe Flash.

The remainder of the vulnerabilities have been rated Important or moderate and affect Adobe Flash Player, Shockwave Player, Dreamweaver, Adobe XD CC, Adobe Experience Manager Forms, InDesign, and Adobe Bridge CC.

None of the vulnerabilities are believed to have been exploited in the wild, although the updates should be applied as soon as possible.

Acrobat Reader accounts for the majority of the vulnerabilities. 21 vulnerabilities have been corrected in Acrobat Reader, 11 of which are rated critical. (CVE-2019-7088, CVE-2019-7111, CVE-2019-7112, CVE-2019-7113, CVE-2019-7117, CVE-2019-7118, CVE-2019-7119, CVE-2019-7120, CVE-2019-7124, CVE-2019-7125, and CVE-2019-7128).

8 flaws have been corrected in Adobe Bridge CC, two of which (CVE-2019-7130, CVE-2019-7132) are RCE bugs which have been rated critical. The remainder are information disclosure vulnerabilities and have been rated important.

7 critical vulnerabilities (CVE-2019-7098, CVE-2019-7099, CVE-2019-7100, CVE-2019-7101, CVE-2019-7102, CVE-2019-7103, CVE-2019-7104) have been corrected in Shockwave Player, all of which are memory corruption vulnerabilities which could allow the remote execution of arbitrary code. The flaws are present in the Windows version of Shockwave Player (Versions and earlier).

Adobe XD CC has had two critical path traversal vulnerabilities corrected (CVE-2019-7105 and CVE-2019-7106), both of which could allow remote code execution in the context of the current user if exploited.

Two flaws have been corrected in Adobe Flash Player, one of which is a code execution vulnerability (CVE-2019-7096) that has been rated critical. The other (CVE-2019-7108) is rated important and is an information disclosure vulnerability.

A critical vulnerability (CVE-2019-7107) has been corrected in InDesign which is due to unsafe hyperlink processing. If exploited, the flaw could allow the remote execution of arbitrary code.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of