Podcast Episode
The flaw, tracked as CVE-2026-34621, is a prototype pollution vulnerability that initially carried a CVSS score of 9.6 out of 10, later revised to 8.6. Successful exploitation enables arbitrary code execution on both Windows and macOS systems simply by opening a specially crafted PDF file.
The exploit abuses two privileged Acrobat JavaScript APIs to read local files, fingerprint the victim's system, and exfiltrate collected data to attacker-controlled servers. Rather than deploying a full payload immediately, the attackers first profile targets and then selectively deliver second-stage exploits to systems deemed valuable.
Adobe Patches Critical Acrobat Zero-Day Exploited Since Late 2025
April 12, 2026
0:00
3:13
Adobe has released an emergency security update to fix a critical zero-day vulnerability in Acrobat and Reader that attackers have been exploiting for months using malicious PDF files. The flaw allows arbitrary code execution simply by opening a crafted PDF.
Critical Zero-Day in Adobe Acrobat and Reader
Adobe has issued an emergency security patch for a critical zero-day vulnerability in Acrobat and Reader that has been actively exploited in the wild since at least late 2025. The company has urged all affected users to update within 72 hours.The flaw, tracked as CVE-2026-34621, is a prototype pollution vulnerability that initially carried a CVSS score of 9.6 out of 10, later revised to 8.6. Successful exploitation enables arbitrary code execution on both Windows and macOS systems simply by opening a specially crafted PDF file.
Months of Silent Exploitation
Security researcher Haifei Li, founder of the exploit-detection platform EXPMON, first publicly disclosed the zero-day on 7 April after his system flagged a suspicious PDF sample submitted on 26 March. Li's investigation traced the campaign back to at least late November 2025, when the earliest known malicious file appeared on the VirusTotal malware-scanning platform.The exploit abuses two privileged Acrobat JavaScript APIs to read local files, fingerprint the victim's system, and exfiltrate collected data to attacker-controlled servers. Rather than deploying a full payload immediately, the attackers first profile targets and then selectively deliver second-stage exploits to systems deemed valuable.
Russian-Language Lures Suggest Targeted Campaign
Analysis of the malicious PDF samples revealed Russian-language documents rendered as images serving as visual decoys, with content referencing gas supply disruptions and emergency response. This suggests the intended targets are Russian-speaking individuals, likely in government, energy, or critical infrastructure organisations.Patch and Mitigation
The patch, issued under priority rating 1, Adobe's highest urgency designation, covers Acrobat Reader versions 24.001.30356, 26.001.21367, and earlier. Organisations unable to update immediately should disable JavaScript execution in Adobe Reader, route untrusted PDFs to alternative viewers, and block suspicious network traffic containing Adobe Synchronizer in the User-Agent header.Published April 12, 2026 at 10:13pm
