Adobe Patches Critical PDF Zero-Day Exploited Since November 2025

Adobe patched a critical zero-day vulnerability in its PDF software that hackers had been actively exploiting since at least November 2025.

“Adobe has released an emergency security update for Acrobat Reader to fix a vulnerability, tracked as CVE-2026-34621, that has been exploited in zero-day attacks since at least December”

BleepingComputer

The flaw allowed attackers to execute arbitrary code simply by convincing users to open a specially crafted PDF file.

BleepingComputer

Security researcher Haifei Li discovered the vulnerability after someone uploaded a malicious PDF to his EXPMON detection system.

The exploit could lead to full control of the victim's system and was being used in the wild for at least four months before Adobe released a fix.

The vulnerability affected Acrobat DC, Reader DC, and Acrobat 2024 on both Windows and macOS.

Adobe urged users to update immediately as there were no workarounds or mitigations.

The vulnerability was an Improperly Controlled Modification of Object Prototype Attributes bug.

Exploitation required only that the victim open a malicious PDF file; no additional interaction was needed.

Help Net Security

The malicious PDFs contained obfuscated JavaScript that could fingerprint the underlying system and send information to a command and control server.

Some documents were written in Russian and referenced oil and gas sector themes.

The exploit also abused APIs to read arbitrary local files and exfiltrate data.

The five-month exploitation window represents one of the longest known zero-day windows in recent memory.

“Opening the wrong PDF in Adobe Reader was enough to let criminals quietly spy on your computer and unleash more attacks, even though everything looked normal”

Malwarebytes

Adobe's position as the default choice for document management faces pressure.

The incident raises uncomfortable questions about detection capabilities across the cybersecurity industry.

Organizations that processed PDF files from untrusted sources face the prospect of assuming compromise until proven otherwise.