CVE-2015-7614
Description
Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before 2015.006.30094, and Acrobat and Acrobat Reader DC Continuous before 2015.009.20069 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions and execute arbitrary commands via an app.launchURL call, a different vulnerability than CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-6713, CVE-2015-6714, CVE-2015-6715, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7616, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, and CVE-2015-7623.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Reader and Acrobat on Windows and OS X are vulnerable to arbitrary command execution via a specially crafted app.launchURL call, bypassing JavaScript API restrictions.
Vulnerability
Affected versions: Adobe Reader and Acrobat 10.x before 10.1.16, 11.x before 11.0.13, Acrobat Reader DC Classic before 2015.006.30094, and Acrobat Reader DC Continuous before 2015.009.20069 on Windows and OS X. The vulnerability lies in the handling of URLs passed to app.launchURL JavaScript API, which can be abused to execute arbitrary commands instead of merely opening a URL [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious PDF that passes a specially crafted URL to app.launchURL. No authentication is required; the victim only needs to open the PDF. The attack can be performed remotely [1].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the Adobe Reader process, leading to full system compromise (confidentiality, integrity, and availability) [1].
Mitigation
Adobe has released security updates for all affected versions: Acrobat Reader DC (Classic and Continuous) updated to 2015.006.30094 and 2015.009.20069 respectively, Reader 11.x to 11.0.13, and Reader 10.x to 10.1.16. Users should apply the latest updates [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:classic:*:*:*+ 1 more
- cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:classic:*:*:*range: >=15.006.30060,<15.006.30094
- cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*range: >=15.008.20082,<15.009.20069
cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:classic:*:*:*+ 2 more
- cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:classic:*:*:*range: >=15.006.30060,<15.006.30094
- cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:*range: >=15.008.20082,<15.009.20069
- (no CPE)range: <=2015.009.20069
- Range: <=2015.006.30094
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- helpx.adobe.com/security/products/acrobat/apsb15-24.htmlnvdPatchVendor Advisory
- www.securitytracker.com/id/1033796nvdThird Party AdvisoryVDB Entry
- www.zerodayinitiative.com/advisories/ZDI-15-509nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.