Critical Adobe Acrobat and Reader Zero-Day Under Active Exploitation

Adobe released an emergency security update for a critical zero-day vulnerability in Acrobat and Reader that has been exploited in the wild for months through malicious PDF files. The company urged affected users to apply the update within 72 hours.

The vulnerability is tracked as CVE-2026-34621 and carries a CVSS score of 9.6 out of 10. Adobe identified the issue as a prototype pollution vulnerability. According to Adobe’s security bulletin APSB26-43, successful exploitation can lead to arbitrary code execution on both Windows and macOS systems when a victim opens a crafted PDF file.

Adobe also confirmed that the flaw is under active exploitation, making this a high-priority issue for both individual users and organizations that rely on Acrobat or Reader to open PDF documents.

How the Acrobat PDF Attack Works

Malicious PDF Files Trigger the Exploit

The attack begins with a specially crafted PDF. Simply opening the file in a vulnerable version of Acrobat or Reader can expose the system to compromise. That matters because PDF files are widely trusted and routinely exchanged in day-to-day business workflows.

Abuse of Acrobat JavaScript APIs

The exploit uses two privileged Acrobat JavaScript APIs:

  • util.readFileIntoStream
  • RSS.addFeed

These APIs are used to read local files, fingerprint the target system, and send the gathered data to attacker-controlled servers.

Multi-Stage Target Profiling Before Deeper Exploitation

Rather than dropping a full payload right away, the attackers first collect details about the victim’s environment. This profiling stage helps them decide which systems are worth pursuing further.

After that, selected targets may receive second-stage exploits that can enable remote code execution or sandbox escape. This approach gives attackers a more selective and controlled path to deeper compromise.

As described by the researcher who disclosed the activity, the mechanism enables threat actors to collect user information, steal local data, perform advanced fingerprinting, and prepare future attacks.

Months of Silent Acrobat Exploitation Since Late 2025

Earliest Known Activity Dates Back to November 2025

The campaign was traced back to at least late November 2025. The earliest known malicious sample was a file named “Invoice540.pdf”, which appeared on the VirusTotal malware-scanning platform.

Public Disclosure Followed a Suspicious PDF Detection

Security researcher Haifei Li, founder of the exploit-detection platform EXPMON, publicly disclosed the zero-day on April 7 after his system flagged a suspicious PDF sample that had been submitted on March 26.

That timeline shows the vulnerability was not just theoretical or newly discovered at disclosure. It had already been used in active attacks for an extended period before the emergency patch was released.

Targeted Campaign Characteristics and Russian-Language Decoys

Russian-Language Visual Lures in Malicious PDFs

Malware researcher Giuseppe Massaro, who analyzed the samples, found that the malicious PDFs displayed Russian-language documents rendered as images. These acted as visual decoys while the malicious activity took place behind the scenes.

Themes Referenced Gas Supply Disruptions and Emergency Response

The decoy content included references to gas supply disruptions and emergency response. Based on those themes, the campaign appears to have been crafted with a specific audience in mind.

Likely Focus on Russian-Speaking Organizations

The sample analysis suggests the intended targets were Russian-speaking individuals, likely associated with governmentenergy, or critical infrastructure organizations.

That targeting detail matters because it points to a more deliberate campaign rather than broad, untargeted malware distribution.

Affected Adobe Acrobat and Reader Versions

The emergency patch applies to Acrobat Reader versions:

  • 24.001.30356 and earlier
  • 26.001.21367 and earlier

Adobe assigned the issue a priority rating of 1, which is the company’s highest urgency designation. That rating signals that the vulnerability presents an immediate risk and should be addressed without delay.

Patch and Mitigation Steps for Organizations

Apply the Adobe Emergency Update

The primary mitigation is straightforward: update affected Acrobat and Reader installations as quickly as possible. Adobe specifically urged users to update within 72 hours.

Disable JavaScript in Adobe Reader if Immediate Patching Is Not Possible

Organizations that cannot deploy the fix right away should disable JavaScript execution in Adobe Reader. Because the exploit relies on Acrobat JavaScript APIs, this can reduce exposure while patching is being scheduled.

Route Untrusted PDFs to Alternative Viewers

Another recommended step is to send untrusted PDF files to alternative viewers that do not support Adobe’s extended JavaScript APIs. This helps reduce the attack surface tied to the vulnerable functionality.

Block Suspicious Network Traffic

Defenders are also advised to block HTTP/HTTPS traffic that contains “Adobe Synchronizer” in the User-Agent header. That can help disrupt related activity tied to exploitation attempts or follow-on communication.

Why CVE-2026-34621 Demands Immediate Attention

This vulnerability combines several high-risk elements in one chain: active exploitation, PDF-based delivery, arbitrary code execution, and a quiet campaign that appears to have operated for months before emergency remediation arrived.

The use of trusted document formats, selective profiling, and staged exploitation makes the activity especially concerning for environments where PDFs are opened routinely and where sensitive systems or data are involved.