Adobe Reader zero day exploit discovered active since late 2025

Rafi Mahmood

• On 7 April, a security researcher at Expmon detected a sophisticated zero day exploit targeting Adobe Reader, delivered via malicious PDF files and confirmed to work against the latest patched versions of the application.
• The PDFs automatically execute obfuscated JavaScript on open, abusing privileged Acrobat APIs to fingerprint victim systems and exfiltrate environment and user data, rather than immediately deploying a payload.
• Analysis indicates the activity has been ongoing since at least November 2025, with evidence suggesting a selective, reconnaissance‑driven attack chain.
• Organisations should monitor for unexpected outbound connections and abnormal Reader behaviour.

Haifei's random thoughts: EXPMON detected sophisticated zero-day fingerprinting attack targeting Adobe Reader users

Du'aine Davis

Adobe confirms Reader zero‑day exploitation and releases emergency patch
For awareness

• Adobe has formally confirmed the activity as CVE‑2026‑34621, a zero‑day affecting Acrobat and Acrobat Reader on Windows and macOS, and released out‑of‑band patches. Adobe states the flaw can be exploited for arbitrary code execution, rather than information harvesting alone.
• Adobe initially rated the vulnerability critical (CVSS 9.6) before reducing it to 8.6 (high) due to the requirement for a user to open a malicious PDF locally. Adobe explicitly cautioned that this adjustment does not reduce the urgency of applying updates.
• Threat context update: Analysis of observed exploit samples and lures supports earlier assessments of selective targeting, with researchers noting Russian‑language content and sector‑specific themes. An APT‑linked campaign is considered likely, though attribution remains unconfirmed. Technical details and IoCs have since been shared publicly.

Adobe Patches Reader Zero-Day Exploited for Months - SecurityWeek
Adobe Security Bulletin