CVE-2026-34632

A privilege escalation vulnerability exists during the installation of Adobe Photoshop via the Microsoft Store. The vulnerable version of the installer is Photoshop_Set-Up.exe 2.11.0.30. A low-privilege user can replace files during the installation process, which may result in unintended elevation of privileges.

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Adobe Photoshop Photoshop_Set-Up.exe version 2.11.0.30

Photoshop – https://www.adobe.com/products/photoshop.html

8.2 – CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE-284 – Improper Access Control

Adobe Photoshop is a powerful software for image creation, photo editing, and graphic design. It provides advanced tools for photo retouching, compositing, digital painting, and creating stunning visual effects. It is one of the most widely used tools for professional digital art.

Adobe Photoshop is vulnerable to a privilege escalation issue when installed via the Microsoft Store application. When a user attempts to install Adobe Photoshop, the following events occur in the background:

`WindowsPackageManagerServer.exedownloads and runs` `Photoshop_Set-Up.exe.` `Photoshop_Set-Up.execalls` `ShellExecutewith the` `runasverb to launch a second instance of` `Photoshop_Set-Up.exewith elevated privileges.` `Photoshop_Set-Up.exeprocess runs with` `High Integrityprivileges.` `Adobe installer.exeand` `AdobeServiceInstaller.exewith High Integrity privileges to configure the application.`

Note that the location where the ZIP files are saved is user-writable. To exploit this vulnerability, an attacker could replace a ZIP file with an attacker-controlled version. When the installation process extracts and saves the files, the attacker-controlled files are written to the program folder with `High Integrity` privileges.

In this case, it is possible to escalate privileges from `High Integrity` to `System` by replacing `Adobe installer.exe` with an attacker-controlled executable that can register and run a malicious service, which runs with the `System` privileges.

2025-09-23 – Vendor Disclosure

2026-01-20 – Vendor Patch Release

2026-04-22 – Public Release

Discovered by KPC of Cisco Talos.