Adobe Reader Zero-Day Exploited for Months: Researcher

A researcher has come across what appears to be an actively exploited Adobe Reader zero-day vulnerability. Haifei Li is asking the cybersecurity community for assistance in investigating what he describes as a sophisticated PDF exploit. Li is a reputable researcher who over the past two decades has worked at Fortinet, Microsoft, McAfee, and Check Point. He is the founder and developer of Expmon, a sandbox-based system designed to detect file-based zero-days and other exploits. The new Reader exploit was detected by Expmon, and an analysis showed that the identified PDF “acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits”. The researcher believes the PDF exploits a zero-day vulnerability as the attack has been confirmed to work against the latest version of Adobe Reader. While Li has confirmed that the identified exploit collects user and other data from the compromised system, he was unable to reproduce the complete attack chain and obtain additional payloads that may be used for a sandbox escape or remote code execution.  SecurityWeek has reached out to Adobe, but it may take some time for the company to share information on its assessment considering that it only received the details of the exploit on or around April 7.  Exploits targeting the potential zero-day have been submitted to both Expmon and VirusTotal. One sample identified on VirusTotal was submitted in November 2025, which indicates that the vulnerability has been exploited for at least 4 months. One threat intelligence analyst who reviewed the exploits noted that the malicious PDFs contained Russian-language lures and referenced current events in Russia’s oil and gas sector.  Adobe has credited Li with reporting several Reader and Acrobat vulnerabilities in recent years, including critical code-execution flaws.  However, in the case of a Reader vulnerability discovered in 2024 and tracked as CVE-2024-41869, Adobe has not confirmed in-the-wild exploitation after Li reported coming across a PDF that apparently attempted to weaponize the bug.  Related: Adobe Patches 80 Vulnerabilities Across Eight Products Related: Patch Tuesday: Adobe Fixes 44 Vulnerabilities in Creative Apps Related: TrueConf Zero-Day Exploited in Asian Government Attacks Related: Fortinet Rushes Emergency Fixes for Exploited Zero-Day WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption  US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking Severe StrongBox Vulnerability Patched in Android GPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack  White House Seeks to Slash CISA Funding by $707 Million Wynn Resorts Says 21,000 Employees Affected by ShinyHunters Hack T-Mobile Sets the Record Straight on Latest Data Breach Filing Apple Rolls Out DarkSword Exploit Protection to More Devices Latest News Palo Alto Networks, SonicWall Patch High-Severity Vulnerabilities The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Google Warns of New Campaign Targeting BPOs to Steal Corporate Data 300,000 People Impacted by Eurail Data Breach $3.6 Million Stolen in Bitcoin Depot Hack Shaky Ceasefire Unlikely to Stop Cyberattacks From Iran-Linked Hackers for Long Data Leakage Vulnerability Patched in OpenSSL RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move John Clancy has become Chief Executive Officer at Bitsight. Halcyon has appointed Dave Hannigan as Field Chief Information Security Officer. Pamela McLeod has been named as CISO of the state of New Hampshire. More People On The Move Expert Insights The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Email