CVE CyberSecurity Database News

CVE-2023-26358 - Untrusted Search Path Vulnerability in Adobe Creative Cloud 5.9.1 (and earlier)

Poster -

Adobe’s Creative Cloud software is widely used by designers, artists, and businesses around the world. But with its popularity comes risks, especially when security flaws are discovered before they’re fully fixed or understood. One such risk is CVE-2023-26358, an *Untrusted Search Path* vulnerability affecting Creative Cloud Desktop Application version 5.9.1 and earlier.

In this post, we’ll explain what this vulnerability is, how attackers might exploit it, and what you can do to keep yourself safe. We’ll keep the language simple and provide code snippets and original references so you can dig deeper.

What is CVE-2023-26358?

CVE-2023-26358 is an *untrusted search path* vulnerability. In practical terms, it means that the Creative Cloud app might look in the wrong place for files it needs to run. Attackers can take advantage of this by tricking Creative Cloud into running their own malicious files.

The vulnerability affects Adobe Creative Cloud version 5.9.1 and earlier on Windows systems.

Change important settings or data

Anyone using a vulnerable version can be at risk, especially if they're running Creative Cloud in shared or untrusted environments.

How the Exploit Works

The heart of the problem is that the application depends on certain files (DLLs, plugins, config files, etc.) and searches for these files in predetermined locations, called the _search path_. If the search path is not locked down, a bad actor can place a malicious file in a folder where Creative Cloud might look, and the app could unknowingly run it.

Example: DLL Hijacking

Let’s say Creative Cloud needs a library called example.dll when it starts up.

Other directories in the PATH environment variable

If an attacker somehow places a fake example.dll in the same directory as Creative Cloud (or any directory in the search path that’s checked before System32), then the app will load the attacker’s version, not the legitimate one.

Code Snippet (Windows - C Example)

// Vulnerable code: Loads DLL by default search order, no hard-coded path
HMODULE hModule = LoadLibrary("example.dll");
if (hModule == NULL) {
    printf("Unable to load DLL!\n");
}

*In this code, Windows will look for example.dll in the application's directory, then other locations. If a malicious DLL is found first, it will get loaded and run.*

Attack Scenario: How Could This Play Out?

1. Attacker Gains Access to a machine running Creative Cloud (maybe by sneakernet, shared drives, or phishing that plants a malicious file).

Victim launches Creative Cloud Desktop. The process loads the attacker’s DLL.

4. Malicious Code Runs—this could steal files, create a backdoor, or give remote control over the system.

The risk is higher on shared computers (schools, offices, internet cafes), or where users have weak folder permissions.

Real-World Example: Exploiting the Search Path

Suppose Creative Cloud relies on an external tool or DLL. An attacker can guess or observe which file is being loaded and then drop their malicious version into an accessible location.

Here’s a PowerShell one-liner that sets up such a scenario

Copy-Item -Path "C:\Malware\evil.dll" -Destination "C:\Program Files\Adobe\Adobe Creative Cloud\"

After this, every time Creative Cloud starts, it can load evil.dll if it calls it without a full path and the vulnerability is present.

Proof-of-Concept (PoC) Exploit

For demonstration purposes only. This PoC simply opens Notepad every time the app tries to load a hijacked DLL.

// malicious_dll.c
#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    if (fdwReason == DLL_PROCESS_ATTACH) {
        WinExec("notepad.exe", SW_SHOW);
    }
    return TRUE;
}


Compile and name this DLL as the one expected by Creative Cloud, then place it into Creative Cloud's installation directory. The app will run Notepad each time it is started and loads the DLL.

Original References

- NIST National Vulnerability Database CVE-2023-26358
- Adobe Security Bulletin APSB23-20
- MITRE CVE Entry

Update Now!

- Update Creative Cloud Desktop App to the latest version! Adobe fixed this issue in later releases. Download here: Creative Cloud Downloads

Final Thoughts

Untrusted search path bugs like CVE-2023-26358 are easy to overlook but can be catastrophic if exploited. Even casual attackers can plant malware if they’re on the same system or can influence file locations.

Always keep your apps up to date, and restrict who can write to program folders. Don’t wait for attackers to find you—close security gaps proactively.

> Stay safe, and keep creating!

Original details from NIST and Adobe  
More about search path vulnerabilities (OWASP)


*This post is an exclusive overview tailored for users and system admins who need plain-English guidance on one of the latest Adobe Creative Cloud vulnerabilities. If you have questions or want a deeper dive, let us know below!*

Timeline

Published on: 03/22/2023 17:15:00 UTC
Last modified on: 03/24/2023 02:27:00 UTC