Unpatched Adobe Reader zero-day exploited since December - malicious PDFs steal data with zero clicks

An unpatched zero-day in Adobe Acrobat Reader has been actively exploited since at least November 2025 using booby-trapped PDF documents. The exploit, discovered by EXPMON researcher Haifei Li, works on the latest version of Adobe Reader without any user interaction beyond opening the file. It abuses privileged Acrobat JavaScript APIs (util.readFileIntoStream and RSS.addFeed) to silently harvest local files, OS details, language settings, and the Reader version from the victim's machine, then sends everything to an attacker-controlled server. The PDFs use Russian-language lures related to the oil and gas industry. The attack is a two-stage operation: the first pass fingerprints the target, and if the system meets the attacker's criteria, a follow-on RCE or sandbox escape payload is delivered. Only 5 out of 64 antivirus engines on VirusTotal detected the sample. No CVE has been assigned and no patch is available.

Check

Warn staff not to open PDF attachments from unknown or unexpected sources until Adobe releases a patch. This is especially urgent because the exploit requires no interaction beyond opening the file.

Affected

All current versions of Adobe Acrobat Reader on Windows and macOS. The exploit was confirmed working on Adobe Reader version 26.00121367, the latest at time of discovery.

Fix

No patch available yet - Adobe has been notified but has not released a fix. Immediate mitigations: disable JavaScript in Adobe Reader (Edit > Preferences > JavaScript > uncheck 'Enable Acrobat JavaScript'). Block outbound HTTP/HTTPS traffic containing 'Adobe Synchronizer' in the User-Agent header. Block the known C2 IP 169.40.2.68 on port 45191. Consider switching to an alternative PDF reader (like Foxit or browser-based viewing) until Adobe patches.