Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 - The Hacker News

Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 Ravie LakshmananApr 09, 2026Vulnerability / Threat Intelligence Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025. The finding, detailed by EXPMON's Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact ("Invoice540.pdf") first appeared on the VirusTotal platform on November 28, 2025. A second sample was uploaded to VirusTotal on March 23, 2026. Given the name of the PDF document, it's likely that there is an element of social engineering involved, with the attackers luring unsuspecting users into opening the files on Adobe Reader. Once launched, it automatically triggers the execution of obfuscated JavaScript to harvest sensitive data and receive additional payloads. Security researcher Gi7w0rm, in an X post, said the PDF documents observed contain Russian language lures and refer to issues regarding current events related to the oil and gas industry in Russia. "The sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits," Li said. "It abuses zero-day/unpatched vulnerability in Adobe Reader that allows it to execute privileged Acrobat APIs, and it is confirmed to work on the latest version of Adobe Reader." It also comes with capabilities to exfiltrate the collected information to a remote server ("169.40.2[.]68:45191") and receive additional JavaScript code to be executed. This mechanism, Li argued, could be used to collect local data, perform advanced fingerprinting attacks, and set the stage for follow-on activity, including delivering additional exploits to achieve code execution or sandbox. The exact nature of this next-stage exploit remains unknown as no response was received from the server. This, in turn, could imply the local testing environment from which the request was issued did not meet the necessary criteria to receive the payload.  "Nevertheless, this zero-day/unpatched capability for broad information harvesting and the potential for subsequent RCE/SBX exploitation is enough for the security community to remain on high alert," Li said. Update Adobe has released security updates for the vulnerability (CVE-2026-34621, CVSS score: 9.6). Please check here for more details. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Adobe Reader, cybersecurity, Malware, remote code execution, social engineering, Threat Intelligence, Vulnerability, zero-day ⚡ Top Stories This Week LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Vercel Finds More Compromised Accounts in Context.ai-Linked Breach FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Load More ▼ ⭐ Featured Resources [Guide] How to Enable Secure Data Movement Without Added Risk [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] Learn a Practical Framework to Evaluate AI Tools for Production Learn How Hidden Identity Blind Spots Weaken Your Security Systems