Adobe Patches Actively Exploited Zero-Day That Lingered for Months

APPLICATION SECURITY THREAT INTELLIGENCE VULNERABILITIES & THREATS CYBER RISK NEWS Adobe Patches Actively Exploited Zero-Day That Lingered for Months An attacker has been using maliciously crafted PDF files to exploit a zero-day in Adobe Acrobat and Reader for at least four months. Jai Vijayan,Contributing Writer April 13, 2026 4 Min Read SOURCE: PJ MCDONNELL VIA SHUTTERSTOCK Adobe patched an arbitrary code execution vulnerability in the latest versions of its Acrobat and Reader for Windows and macOS, nearly four months after an attacker first appeared to have begun exploiting it. The high-severity vulnerability, assigned as CVE-2026-34621, has a CVSS score of 8.6 and stems from a combination of improper input validation and unsafe handling of object attributes. The flaw was initially assigned a CVSS score of 9.6 but Adobe later revised it. Sophisticated Payload Dropped on Adobe Flaw Independent security researcher Haifei Li, founder and developer of EXPMON exploit detection system, uncovered the vulnerability when analyzing a maliciously crafted PDF that someone anonymously uploaded to the platform on March 26. Li's analysis of the file showed it to be a "highly-sophisticated PDF exploit" for a zero-day flaw in Adobe Acrobat and Reader that was at that point unpatched.  Related:Can Anthropic Keep Its Exploit-Writing AI Out of the Wrong Hands? His initial investigation showed the malicious PDF had actually been sitting largely unnoticed on the public threat-sharing platform VirusTotal since March 23, with just five out of 64 security tools flagging it as suspicious. Later, he discovered that someone had uploaded another version of the malware to VirusTotal, with this one as far back as Nov. 28, 2025, suggesting that attacks targeting the flaw have been ongoing since at least then. Li found that an attacker could trigger CVE-2026-34621 simply by getting a user to open the PDF with no additional clicks or permissions required. Once triggered, the booby-trapped PDF file silently fingerprints victims' systems before deciding whether they are worth attacking further. Loading... "The sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits," Li wrote on his blog recently. "It abuses zero-day/unpatched vulnerability in Adobe Reader that allows it to execute privileged Acrobat APIs, and it is confirmed to work on the latest version of Adobe Reader." Adobe acknowledged the issue in an April 11 advisory and confirmed the flaw had been exploited int the wild. The company released updated versions of the affected software and urged organizations to update to them, citing ongoing exploit activity targeting the vulnerability.  "Exploitation of this issue requires user interaction in that a victim must open a malicious file," according to CVE-2026-34621's description on the NIST's National Vulnerability Database (NVD). Related:AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties Stealthy Reconnaissance  The heavily obfuscated malware hidden inside the PDF executes immediately when a victim opens the file, according to Li. Using an Adobe Reader API mechanism, it first gathers detailed information about the victim's environment, including operating system details, software versions, language settings, and file paths. Rather than immediately deploying a full payload, the malware scouts the system, quietly collecting intelligence and sending it back to attacker-controlled infrastructure for analysis. In addition to enabling reconnaissance, the malware is simultaneously capable of accessing and extracting sensitive data from compromised systems. Using the same underlying mechanism, it can read files directly from the local machine that potentially include confidential documents, system data, or other sensitive information, and transmit everything it collects to a remote command-and-control (C2) server. Attackers thus gain both a comprehensive picture of the victim's environment and direct access to files stored on their machine. During testing, Li was unable to retrieve any follow-up exploit that the attacker might have developed for deployment on systems of interest. However, his testing of the attack code showed the delivery mechanism for the secondary payload working perfectly, meaning the attacker could hit an affected version of Adobe Reader with additional remote code execution (RCE) or sandbox escape (SBX) exploits.  Related:Grafana Patches AI Bug That Could Have Leaked User Data "This exploit allows the threat actor to not only collect/steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim's system," he wrote. Like Adobe, Malwarebytes recommended that organizations update to the newly patched version as soon as possible. Those that are unable or unwilling to do so for any reason should be "extra cautious" when handling PDFs or unexpected attachments from unknown sources, Malwarebytes advised. Organizations should also monitor all HTTP/HTTPS traffic for the 'Adobe Synchronizer" string in the User Agent field, the security vendor said. Adobe Acrobat and Reader are frequent targets for attackers because of their broad installed base and deep integration with operating system-level functions. Threat actors for years have used PDFs as an attack delivery mechanism, including in state-sponsored campaigns, ransomware operations, targeted phishing, and other malicious activity. Such attacks have long highlighted the need for organizations to prioritize timely patching of vulnerabilities in Adobe products and to monitor file-based threats in general. About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications 2026 CISO AI Risk Report QKS AI Maturity Matrix KuppingerCole Business Application Risk Management Leadership Compass Access More Research Webinars Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World More Webinars You May Also Like APPLICATION SECURITY Multiple ChatGPT Security Bugs Allow Rampant Data Theft by Jai Vijayan, Contributing Writer NOV 06, 2025 APPLICATION SECURITY Self-Propagating GlassWorm Attacks VS Code Supply Chain by Elizabeth Montalbano, Contributing Writer OCT 20, 2025 APPLICATION SECURITY 'Lies-in-the-Loop' Attack Defeats AI Coding Agents by Elizabeth Montalbano, Contributing Writer SEP 15, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE