CVE-2015-6723
Description
The ANTrustPropagateAll method in Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before 2015.006.30094, and Acrobat and Acrobat Reader DC Continuous before 2015.009.20069 on Windows and OS X allows attackers to bypass JavaScript API execution restrictions via unspecified vectors, a different vulnerability than CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-6713, CVE-2015-6714, CVE-2015-6715, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6724, CVE-2015-6725, CVE-2015-7614, CVE-2015-7616, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, and CVE-2015-7623.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Reader/Acrobat ANTrustPropagateAll method allows attackers to bypass JavaScript API restrictions, leading to arbitrary code execution via crafted PDF.
Vulnerability
The ANTrustPropagateAll method in Adobe Reader and Acrobat contains a flaw that allows attackers to bypass JavaScript API execution restrictions. This vulnerability affects Adobe Reader and Acrobat 10.x before 10.1.16, 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before 2015.006.30094, and Acrobat and Acrobat Reader DC Continuous before 2015.009.20069 on Windows and OS X [1]. The issue is triggered when a specially crafted PDF with specific JavaScript instructions is processed.
Exploitation
Exploitation requires user interaction: the target must open a malicious PDF file or visit a page that loads such a file. An attacker can craft a PDF containing JavaScript that calls the ANTrustPropagateAll method in a way that bypasses the intended API restrictions [1]. No authentication or special network position is needed beyond delivering the file to the victim.
Impact
Successful exploitation allows an attacker to execute arbitrary code within the context of the affected Adobe Reader or Acrobat process. This can lead to full compromise of the user's system, including reading, writing, and modifying files, installing malware, or performing other actions with the privileges of the logged-on user [1]. The CVSS score is 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) [1].
Mitigation
Adobe released fixes in the following versions: 10.1.16, 11.0.13, DC Classic 2015.006.30094, and DC Continuous 2015.009.20069 [1]. Users should update to these or later versions. No workarounds are documented; the only mitigation is applying the vendor-supplied patch.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:a:adobe:acrobat:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:acrobat:*:*:*:*:*:*:*:*range: >=10.0,<=10.1.15
- (no CPE)range: 10.x <10.1.16, 11.x <11.0.13
cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:classic:*:*:*+ 1 more
- cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:classic:*:*:*range: >=15.006.30060,<15.006.30094
- cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*range: >=15.008.20082,<15.009.20069
cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:*:*:*:*range: >=10.0,<=10.1.15
- (no CPE)range: 10.x <10.1.16, 11.x <11.0.13
cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:classic:*:*:*+ 1 more
- cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:classic:*:*:*range: >=15.006.30060,<15.006.30094
- cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:*range: >=15.008.20082,<15.009.20069
- Range: <2015.006.30094
- Range: <2015.009.20069
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- helpx.adobe.com/security/products/acrobat/apsb15-24.htmlnvdPatchVendor Advisory
- www.securitytracker.com/id/1033796nvdThird Party AdvisoryVDB Entry
- www.zerodayinitiative.com/advisories/ZDI-15-497nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.