# Conclusion

## Contracting

This vulnerability was discovered and exploited in April of 2022 as part of a web application penetration test. A client hired our employer to assess their payment-based web application, which used Adobe LiveCycle ES4v11.0 for interactive forms processing. 

## Impact

Exploitation of the vulnerability allowed us to transition from an unauthenticated adversary on the internet to a low-privileged user on a server in their secure web enclave.

With the low-privileged user permissions, we had the ability to encrypt, exfiltrate, delete, and otherwise disrupt all services associated with the payment-based application. In follow-on tests with the client, we also had the opportunity to demonstrate the impact of privilege escalation and lateral movement starting from a similar foothold in their secure web enclave.

It only took **five business days** to identify and exploit this vulnerability, so if you have Adobe LiveCycle ES4v11.0 in your environment, we recommend you implement [appropriate remediation](https://coastalsecurity.gitbook.io/critical-vulnerability-adobe-livecycle-es4v11.0/critical-rce-vulnerability-in-adobe-livecycle-es4v11.0#mitigation-and-remediation-options) **immediately**.

## Team Gratitude

Teamwork is an important part of all of our tests, and many unnamed individuals contributed to our success; so to all of the team, thank you! 

## Questions/Corrections

If there are any questions or corrections, feel free to email us at coastalsecurity\[@]proton\[.]me.