Adobe has released an emergency security update to fix CVE-2026-34621, a zero-day vulnerability in Acrobat Reader that has been reportedly actively exploited in targeted attacks since at least December 2025, with some reports placing the earliest known activity in November 2025.
The flaw now rated 8.6 out of 10 (instead of 9.6) after Adobe determined the exploit requires a victim to open a file locally, rather than being triggerable remotely over a network. The flaw enables attackers to bypass built-in sandbox protections and run malicious JavaScript code upon users opening a specially crafted PDF file.
The flaw stems from a prototype pollution issue, a type of JavaScript flaw that lets attackers manipulate application behavior by changing object properties. In this case, attackers can invoke privileged APIs to access local files and execute arbitrary code within the context of the logged-in user.
Security researcher Haifei Li, Founder of EXPMON, publicly disclosed the issue after analyzing a suspicious PDF sample submitted to the exploit detection platform. “It appears that Adobe has determined the bug can lead to arbitrary code execution, not just an information leak,” EXPMON said in a X post on April 12.
Initial analysis showed the exploit leveraging functions such as util.readFileIntoStream() to access local files and RSS.addFeed() to extract data or retrieve additional payloads. At the time the sample was uploaded to VirusTotal, only five of 64 security vendors flagged it as malicious.
Russian-Suspected Campaigns and Limited Detection
Security researcher Gi7w0rm has described the campaign’s sophistication and targeting as consistent with state-aligned espionage activity, with lures referencing current events in Russia’s oil and gas sector.
According to separate findings shared by Li, the malicious PDFs can fingerprint infected systems and enable communication with attacker-controlled infrastructure. Only systems meeting attacker-defined criteria received the second-stage payload, indicating deliberate target selection rather than mass distribution
CISA added the vulnerability to its KEV catalog on Apr. 13, 2026, requiring federal agencies to apply patches by Apr. 27, 2026.
Adobe confirmed that no workarounds are available, making patching the only effective mitigation. The company has released fixes across Windows and macOS for affected versions of Acrobat DC, Acrobat Reader DC, and Acrobat 2024.
For security leaders in energy, government, and defence, the Russian oil-and-gas themed lures and two-stage payload delivery suggest this campaign was designed to identify and compromise high-value targets specifically. Organizations in these sectors should treat the patch as urgent regardless of whether they have seen indicators of compromise and should review Adobe Reader process activity and outbound connections for the period from November 2025 onwards.
