Talos Vulnerability Report

TALOS-2025-2274

Adobe Photoshop Installation Privilege Escalation Vulnerability

April 22, 2026
CVE Number

CVE-2026-34632

SUMMARY

A privilege escalation vulnerability exists during the installation of Adobe Photoshop via the Microsoft Store. The vulnerable version of the installer is Photoshop_Set-Up.exe 2.11.0.30. A low-privilege user can replace files during the installation process, which may result in unintended elevation of privileges.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Adobe Photoshop Photoshop_Set-Up.exe version 2.11.0.30

PRODUCT URLS

Photoshop - https://www.adobe.com/products/photoshop.html

CVSSv3 SCORE

8.2 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-284 - Improper Access Control

DETAILS

Adobe Photoshop is a powerful software for image creation, photo editing, and graphic design. It provides advanced tools for photo retouching, compositing, digital painting, and creating stunning visual effects. It is one of the most widely used tools for professional digital art.

Adobe Photoshop is vulnerable to a privilege escalation issue when installed via the Microsoft Store application. When a user attempts to install Adobe Photoshop, the following events occur in the background:

  • WindowsPackageManagerServer.exe downloads and runs Photoshop_Set-Up.exe.
  • Photoshop_Set-Up.exe calls ShellExecute with the runas verb to launch a second instance of Photoshop_Set-Up.exe with elevated privileges.
  • Once permission is granted, the new Photoshop_Set-Up.exe process runs with High Integrity privileges.
  • This elevated process downloads zip files to a temporary folder, then extracts and saves them to the program folder.
  • After copying files to the program folder, it runs additional executables such as Adobe installer.exe and AdobeServiceInstaller.exe with High Integrity privileges to configure the application.

Note that the location where the ZIP files are saved is user-writable. To exploit this vulnerability, an attacker could replace a ZIP file with an attacker-controlled version. When the installation process extracts and saves the files, the attacker-controlled files are written to the program folder with High Integrity privileges.

In this case, it is possible to escalate privileges from High Integrity to System by replacing Adobe installer.exe with an attacker-controlled executable that can register and run a malicious service, which runs with the System privileges.

TIMELINE

2025-09-23 - Vendor Disclosure
2026-01-20 - Vendor Patch Release
2026-04-22 - Public Release

Credit

Discovered by KPC of Cisco Talos.

TALOS-2026-2381

TALOS-2025-2273