New Adobe Sandbox Vulnerabilities Found

Swascan Vulnerability Hunting Team contacted the PSIRT at Adobe following a security monitoring activity. Swascan Team, during the security analysis for a media company in Europe, found 5 vulnerabilities related to the Web Servers at which handles through multiple and different hosts the Adobe Sandbox Service.

Adobe Sandbox

Adobe adopts Adobe Sandbox in order to manage security. A “sandbox” is a protected environment used to run untrusted programs. This sandboxing technique, in the Acrobat context, involves running any PDF in this protected environment in order to minimize risk.

By default, every PDF is considered as potentially dangerous, this is why each one of them is ran in a sandbox that reduces certain features in order to limit risk and minimize potential criticalities.


Swascan is the CyberSecurity Testing platform founded by Raoul Chiesa and Pierguido Iezzi. Swascan is the first CyberSecurity Testing platform both in Cloud and On Premise, SaaS and All-in-One that allows to identify, analyze and solve vulnerabilities and security issues related to websites, web applications, networks and source code. Swascan services ensure Security Governance and GDPR Compliance. Moreover, Swascan developed its own CyberSecurity Research Center.

Swascan is a well-known player in the market, the platform has been recognized by both Cisco (Swascan has been awarded by Cisco as CyberSecurity platform), MarketsAndMarkets (listed Swascan among the top 20 GDPR providers worldwide) and key customers and partners worldwide.

Vulnerability Disclosure

While running a Swascan based security assessment for a media company in Europe; Swascan Security Research Team reported to the customer that most of the vulnerabilities and exposures we had found were depending on a third-party service: Adobe, and its Sandbox Service which our customer bought for its own internal use. Indeed, there were 5 vulnerabilities, distributed among a range of High (1), Medium (2) and Low (2). These vulnerabilities, whether exploited, could easily impact the Integrity, Availability and Confidentiality of the systems.

To this end, Swascan immediately contacted the staff at Adobe PSIRT and started a profitable collaboration which led to the fixing of the vulnerabilities identified in the first place.

However, this article does not aim to discuss, or disclose, any of the findings (if you are interested in the details, contact directly Swascan). Instead, the goal of this post is to push everyone to think about the importance of a real collaboration between software vendors and CyberSecurity companies.

The acknowledge they gave us to our findings, along with mutual email discussions, estimations, remediation and fixing timings have been one of most serious, professional, and transparent ones we’ve ever experienced in our careers: compliments to those security experts, reverse engineers and coders who work at Adobe. This is the perfect example of CyberSecurity Teamwork that reflects the need of collaboration between CyberSecurity companies (Swascan) and software vendors (the Adobe Team).

CERTs and PSIRTs they do play an highly critical, important role in the security ecosystem of nowadays digital world. we wish there would be more and more conscious teams out there, just as the Adobe PSIRT showed the correct behavior, understanding, and care for its customers.


Raoul “Nobody” Chiesa Swascan co-founder, InfoSec addicted

Pierguido Iezzi, Swascan co-founder, CyberSecurity Director

For any additional information: [email protected]

Cybersecurity: MOTUS-E and Swascan
ECSO: Swascan one of the top 20 startups in Europe

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.