Conclusion

Contracting

This vulnerability was discovered and exploited in April of 2022 as part of a web application penetration test. A client hired our employer to assess their payment-based web application, which used Adobe LiveCycle ES4v11.0 for interactive forms processing.

Impact

Exploitation of the vulnerability allowed us to transition from an unauthenticated adversary on the internet to a low-privileged user on a server in their secure web enclave.

With the low-privileged user permissions, we had the ability to encrypt, exfiltrate, delete, and otherwise disrupt all services associated with the payment-based application. In follow-on tests with the client, we also had the opportunity to demonstrate the impact of privilege escalation and lateral movement starting from a similar foothold in their secure web enclave.

It only took five business days to identify and exploit this vulnerability, so if you have Adobe LiveCycle ES4v11.0 in your environment, we recommend you implement appropriate remediation immediately.

Team Gratitude

Teamwork is an important part of all of our tests, and many unnamed individuals contributed to our success; so to all of the team, thank you!

Questions/Corrections

If there are any questions or corrections, feel free to email us at coastalsecurity[@]proton[.]me.