Adobe Patches Actively Exploited Zero-Day in Acrobat Reader — Attacks Traced to Late 2025
Adobe Patches Actively Exploited Zero-Day in Acrobat Reader — Attacks Traced to Late 2025
- Linux Kernel Removes strncpy After Six Years and 362 Patches
- Linux Kernel Drops 40-Year-Old AppleTalk Protocol — AI-Generated Patch Flood Was the Last Straw
- Apple’s Native Linux Container Tool Has Arrived — But Can It Really Replace Docker?
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
Adobe Patches Actively Exploited Zero-Day in Acrobat Reader — Attacks Traced to Late 2025
A critical prototype-pollution vulnerability — tracked as CVE-2026-34621 — was silently weaponized in targeted PDF campaigns for months before Adobe issued an emergency fix on April 11, 2026. CISA has since added it to its Known Exploited Vulnerabilities catalog.
Action Required Adobe recommends all users update Acrobat DC, Reader DC, and Acrobat 2024 immediately. Go to Help → Check for Updates in your Adobe application. U.S. federal agencies must patch by April 27, 2026 per CISA directive.
Adobe has issued an out-of-band emergency security update to address a critical zero-day vulnerability in its widely used Acrobat and Reader applications. The flaw, now officially identified as CVE-2026-34621, had been actively exploited by attackers since at least November or December 2025 — months before a patch became available — making it one of the most significant PDF-based security incidents in recent years.
What Is the Vulnerability?
CVE-2026-34621 is rooted in a prototype pollution bug — a class of vulnerability found in JavaScript-based applications. In JavaScript, objects can inherit properties from a shared prototype such as Object.prototype. When input is not properly validated, an attacker can inject malicious values into this prototype, altering application behavior in unexpected and dangerous ways.
In Adobe Reader’s case, the vulnerability allowed crafted PDF files to execute embedded JavaScript code capable of calling privileged Acrobat APIs — specifically util.readFileIntoStream() and RSS.addFeed() — in order to read arbitrary files on the victim’s local system and transmit harvested data to an attacker-controlled command-and-control (C2) server. From there, attackers could deploy further Remote Code Execution (RCE) or sandbox-escape (SBX) payloads to gain complete control of the compromised machine.
Critically, exploitation is not remote: the victim must actively open a malicious PDF file. However, given how commonly PDFs are shared via email and the web, this still represents a highly viable attack vector, especially in targeted phishing campaigns.
“A really interesting and sophisticated Adobe Reader PDF fingerprinting exploit involving zero-day and allowing to launch additional RCE/SBX exploitation.”— Haifei Li, EXPMON Founder, via X (April 8, 2026)
How It Was Discovered
The vulnerability was uncovered by security researcher Haifei Li, founder of EXPMON — a sandbox-based cybersecurity platform designed to detect advanced, file-based exploits through automated analysis and manual review. On March 26, 2026, a suspicious PDF was submitted to EXPMON’s public portal. Despite a relatively low initial detection rate on VirusTotal (13 out of 64 antivirus engines), EXPMON’s advanced “detection in depth” feature flagged the sample for manual inspection.
Li subsequently identified a second malicious PDF sample that had been uploaded to the online malware scanning platform VirusTotal as early as November 2025 — suggesting the zero-day had been in active use for months before discovery. Other evidence points to exploitation beginning no later than December 2025. Li published his technical findings on April 7, 2026, prompting Adobe to fast-track its investigation and emergency patch.
Who Is Behind the Attacks?
The full identity of the threat actors has not been officially confirmed, but early forensic evidence provides notable clues. Cybersecurity researcher Gi7w0rm analyzed malicious PDF samples and found that they contained Russian-language lure content rendered as decoy images, with subject matter relating to gas supply disruptions and emergency response in Russia’s oil and gas sector. This suggests the campaign was highly targeted — likely aimed at entities with interests in the Russian energy industry.
Security researchers widely believe an Advanced Persistent Threat (APT) group is responsible, given the sophistication of the exploit chain and the targeted nature of the lures. However, no specific nation-state actor has been formally attributed at the time of publication.
Adobe’s Response and Timeline
-
November 2025 (earliest evidence)A malicious PDF exploiting CVE-2026-34621 first appears on VirusTotal. Exploitation of the zero-day likely begins around this time.
-
March 26, 2026A suspicious PDF is submitted to EXPMON’s platform. Despite low AV detection (13/64 on VirusTotal), EXPMON flags it for manual review.
-
April 7, 2026Haifei Li publicly discloses technical details of the zero-day on his blog, describing a sophisticated “fingerprinting-style” PDF exploit targeting privileged Adobe Reader APIs.
-
April 11, 2026 — Patch ReleasedAdobe publishes emergency security bulletin APSB26-43 (Priority 1), releasing patches for Acrobat DC, Reader DC, and Acrobat 2024 on both Windows and macOS. The flaw is assigned CVE-2026-34621 with an initial CVSS score of 9.6.
-
April 12, 2026Adobe revises the CVSS score from 9.6 to 8.6, adjusting the attack vector from Network (AV:N) to Local (AV:L), reflecting the requirement for a user to open the malicious file.
-
April 13, 2026The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds CVE-2026-34621 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to patch by April 27, 2026.
Affected Versions and Patch Information
Adobe confirmed that the following products on both Windows and macOS are affected and have received patches:
- Acrobat DC & Acrobat Reader DC — Fixed in version
26.001.21411 - Acrobat 2024 — Fixed in versions
24.001.30362(Windows) and24.001.30360(macOS)
Adobe credits Haifei Li of EXPMON for reporting the vulnerability and coordinating disclosure.
What You Should Do Now
Security teams and individual users should treat this update with the highest urgency. Given that active exploitation has been ongoing for months and a Proof-of-Concept exploit was reportedly offered on a dark web forum as recently as April 11, unpatched systems remain at significant risk.
- Update Adobe Acrobat or Reader immediately via Help → Check for Updates, or download the latest version from Adobe’s official website.
- Treat all PDF files from untrusted or unexpected sources as potentially malicious until patched.
- Consider disabling or restricting JavaScript execution in PDF readers where it is not required for business operations.
- Security teams should monitor for suspicious behaviors such as
AdobeCollabSync.exemaking unexpected external network connections. - Conduct security awareness training to remind employees of the risks of opening unsolicited PDF attachments.
The breadth of Adobe Reader’s installation base — spanning hundreds of millions of devices worldwide across both consumer and enterprise environments — makes prompt patching essential. As CISA’s inclusion in the KEV catalog underscores, this is not a theoretical risk: attackers have been exploiting this flaw in the real world for months, and the window of opportunity for unpatched systems remains open until users act.
