Adobe Reader Zero-Day Exploited Through Malicious PDFs

A zero-day vulnerability in Adobe Reader was actively exploited for several months through malicious PDF files. The campaign allowed attackers to steal sensitive data, fingerprint victims, deliver follow-on payloads and potentially achieve arbitrary code execution and full system compromise.

Tracked as CVE-2026-34621, the vulnerability currently carries a CVSS score of 8.6. Adobe originally published a 9.6 score, then revised it to 8.6 on April 12, 2026 after changing the attack vector from Network to Local. Adobe also confirmed that the flaw had been exploited in the wild before a patch became available.

What Happened

Security researcher Haifei Li uncovered the malicious PDF and helped bring CVE-2026-34621 to light. Adobe classifies the issue as a prototype pollution flaw in Reader’s JavaScript engine. In practical terms, the malicious PDF used embedded, obfuscated JavaScript to access privileged Acrobat APIs as part of the exploit chain.

Public reporting indicates the campaign had been active since at least December 2025, giving attackers several months to exploit the vulnerability before Adobe released a fix. Researchers also noted Russian-language lures tied to the oil and gas sector, which suggests the activity may have been targeted rather than broadly opportunistic. 

The exploit chain enabled attackers to:

• Collect sensitive system information.
• Fingerprint targeted victims.
• Deliver additional payloads.
• Execute arbitrary code.
• Escape the Adobe sandbox.
• Achieve full system compromise.

What's Affected

Attack Vector

The exploit is delivered through malicious PDF files. In some cases, opening the document is enough to trigger exploitation. Opening a malicious PDF may allow attackers to:

• Execute the exploit.
• Fingerprint the system.
• Collect sensitive data.
• Deliver additional payloads.
• Achieve remote code execution.
• Escape the sandbox.

Why This Matters

PDFs are widely trusted and commonly opened across organizations. This makes Adobe Reader vulnerabilities particularly risky and malicious PDFs an effective initial access vector: 

• PDFs are commonly delivered via email and collaboration tools.
• Users frequently open PDFs without suspicion.
• Exploits can trigger during document rendering.
• Attacks can remain stealthy and persistent.

Behavioral Indicators

Security teams should actively monitor their environments for:

• Unexpected outbound connections from Adobe Reader.
• Suspicious PDF attachments or downloads.
• Adobe Reader spawning child processes.
• Unusual file access activity.
• Network traffic following PDF execution.

Immediate Actions

1. Patch Immediately: Update Adobe Reader and Acrobat to the latest versions.
2. Restrict PDF Execution: Disable JavaScript in PDF readers, use sandboxed viewers, or open PDFs in isolated environments.
3. Monitor Runtime Behavior: Look for suspicious process behavior, outbound traffic and file access.
4. Audit Exposure: Identify systems running vulnerable Reader versions and review recent PDF activity. 

Why Runtime Visibility Matters

This attack highlights a common pattern:

• The threat originates from a trusted file.
• Exploitation occurs at runtime.
• Static detection often misses the attack.

Runtime visibility helps teams determine which PDFs actually executed, what behavior followed, what data was accessed and whether exploitation succeeded.

Key Takeaways

• CVE-2026-34621 actively exploited for months.
• Delivered through malicious PDF files.
• Enables remote code execution.
• Affects Adobe Reader and Acrobat.
• Patch available, update immediately.
• Runtime visibility helps validate exposure.

The Bottom Line

Trusted file formats continue to be used as initial access vectors. PDF files, like software packages and container images, are often treated as safe. However, when vulnerabilities exist, these trusted files can enable remote code execution and system compromise.

This campaign highlights a recurring pattern. The risk is not always visible through static analysis or file inspection alone. The true impact becomes clear when code executes and behavior is observed at runtime. Understanding what actually runs in your environment is critical to determining whether your organization is exposed and how to respond effectively.

References

1. Adobe. April 11, 2026. Security update available for Adobe Acrobat Reader | APSB26-43. Adobe.
2. Codekeeper. April 9, 2026. Adobe Reader Zero-Day Exploit Actively Stealing User Data. Codekeeper.
3. eSecurity Planet. April 9, 2026. Adobe Acrobat Reader Zero-Day Exploited in Active PDF Attacks. eSecurity Planet.
4. Forbes. April 11, 2026. Adobe Attacks Underway - Windows And Mac Users Given 72 Hours To Update. Forbes.
5. National Vulnerability Database. April 11, 2026. CVE-2026-34621 Detail. National Vulnerability Database.
6. SC Media. April 10, 2026. Adobe Reader zero-day exploit used in months-long cyber campaign. SC Media.
7. SecurityWeek. April 12, 2026. Adobe Patches Reader Zero-Day Exploited for Months. SecurityWeek.
8. SecurityWeek. April 9, 2026. Adobe Reader Zero-Day Exploited for Months: Researcher. SecurityWeek.
9. Sophos. April 9, 2026. Adobe Reader zero-day vulnerability in active exploitation. Sophos.
10. The Cyber Security Hub. April 9, 2026. WARNING: Critical Adobe Reader Zero-day Vulnerability Actively Exploited Since 2025. LinkedIn.
11. The Hacker News. April 9, 2026. Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025. The Hacker News.
12. The Register. April 9, 2026. Months-old Adobe Reader zero-day uses PDFs to size up targets. The Register.