RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: adobe-reader (2 articles)Clear
defense
CVE-2026-34621
2026-04-12

Adobe releases emergency patch for actively exploited Acrobat Reader zero-day we reported Thursday (CVE-2026-34621)

Adobe has released an emergency security update (APSB26-43, priority-1) to patch CVE-2026-34621, the Adobe Reader zero-day we reported on April 10 that had been exploited since December 2025 via malicious PDF documents. The flaw has now been classified as a prototype pollution vulnerability leading to arbitrary code execution - more severe than the initial fingerprinting and data theft we described. Adobe confirmed it's worse than just information leakage: the underlying bug can achieve full RCE, not just the reconnaissance stage observed in early exploitation. CVSS was initially scored 9.6 but Adobe revised it down to 8.6 after changing the attack vector from Network to Local. EXPMON researcher Haifei Li, who first disclosed the flaw, was credited by Adobe. All users on Windows and macOS should update immediately - Adobe assigned this patch its highest priority rating.

adobe-readerzero-dayemergency-patchprototype-pollutionrceactively-exploited
Check
Update Adobe Acrobat and Reader immediately. If you disabled JavaScript in Reader based on our April 10 advisory, you should still update - the patch fixes the root cause.
Affected
All versions of Adobe Acrobat and Reader on Windows and macOS prior to the APSB26-43 patch. Adobe confirmed exploitation in the wild since at least December 2025.
Fix
Update Adobe Acrobat and Reader via Help > Check for Updates, or download from the Adobe Security Bulletin APSB26-43. This is a priority-1 patch - Adobe recommends installation within 72 hours. Keep Acrobat JavaScript disabled as defense-in-depth even after patching. Continue blocking the C2 indicator supp0v3[.]com and User-Agent string 'Adobe Synchronizer' at the network level.
vulnerability
2026-04-09

Unpatched Adobe Reader zero-day exploited since December - malicious PDFs steal data with zero clicks

An unpatched zero-day in Adobe Acrobat Reader has been actively exploited since at least November 2025 using booby-trapped PDF documents. The exploit, discovered by EXPMON researcher Haifei Li, works on the latest version of Adobe Reader without any user interaction beyond opening the file. It abuses privileged Acrobat JavaScript APIs (util.readFileIntoStream and RSS.addFeed) to silently harvest local files, OS details, language settings, and the Reader version from the victim's machine, then sends everything to an attacker-controlled server. The PDFs use Russian-language lures related to the oil and gas industry. The attack is a two-stage operation: the first pass fingerprints the target, and if the system meets the attacker's criteria, a follow-on RCE or sandbox escape payload is delivered. Only 5 out of 64 antivirus engines on VirusTotal detected the sample. No CVE has been assigned and no patch is available.

adobe-readerzero-dayunpatchedpdfjavascriptfingerprintingactively-exploited
Check
Warn staff not to open PDF attachments from unknown or unexpected sources until Adobe releases a patch. This is especially urgent because the exploit requires no interaction beyond opening the file.
Affected
All current versions of Adobe Acrobat Reader on Windows and macOS. The exploit was confirmed working on Adobe Reader version 26.00121367, the latest at time of discovery.
Fix
No patch available yet - Adobe has been notified but has not released a fix. Immediate mitigations: disable JavaScript in Adobe Reader (Edit > Preferences > JavaScript > uncheck 'Enable Acrobat JavaScript'). Block outbound HTTP/HTTPS traffic containing 'Adobe Synchronizer' in the User-Agent header. Block the known C2 IP 169.40.2.68 on port 45191. Consider switching to an alternative PDF reader (like Foxit or browser-based viewing) until Adobe patches.