Adobe urgently published a patch for Acrobat Reader after an exploited vulnerability was detected in zero-day attacks from at least December. The failure, recorded as CVE-2026-34621, allows malicious PDF documents to circumvent internal security barriers and call JavaScript APIs with high privileges, opening the door to arbitrary code execution and reading and exfiltration of local files without more user interaction than opening the affected file.
According to the public analysis that activated the investigation, the explosion takes advantage of calls such as util.readFileIntoStream () to flip files from the computer disk and functions like RSS.addFeed () to send those data out of the system and also to download additional code controlled by the attacker. In other words, a corrupt PDF can turn Adobe Reader into an information theft tool and a vector to bring more malicious loads.
The origin of the detection was a researcher who used the EXPMON system: Haifei Li says that someone loaded a sample called "yummy _ Adobe _ exploit _ uwu.pdf" for analysis on that platform, and that the sample had arrived in VirusTotal days earlier where only a few engines marked it as malicious at first. You can see EXPMON's technical report on the sample in its public analysis and the entry into VirusTotal that shows the limited detection at that time in this page.
The security community also identified active campaigns using Russian-language documents with lures related to the oil and gas industry. A researcher who reported public observations on these attacks is Gi7w0rm, whose thread can be consulted at your publication in X. The combination of an explosion that goes unnoticed to many specific antivirus and lures explains why attackers have been able to take advantage of vulnerability in the real world.
After receiving the investigation, Adobe published his security notice and assigned the identifier CVE-2026-34621. The company initially rated the failure with a high score and a network attack vector, but then modified the evaluation and reduced the gravity by changing the vector to local, leaving a lower final score (though still high). The official newsletter with the details and corrected versions is available on Adobe's page: Adobe safety notices.
The products concerned include specific versions of Acrobat and Acrobat Reader on Windows and macOS; for example, Acrobat DC and Acrobat Reader DC up to the 26.001.21367 and Acrobat 2024 series up to 24.001.30356 were marked as vulnerable and have received specific updates that correct the failure (including the 26.001.21411 series for DC and versions 24.001.30362 / 30360 for Acrobat 2024, according to platform). The corrected versions and installers for each system are listed in the Adobe newsletter.
Adobe recommends applying the update as soon as possible: the usual is to use the Help > Check for Updates menu within the application to force the automatic installation, although it is also possible to download the installer from the official Adobe portal on get.adobe.com / reader. The public notice does not offer alternative mitigation, so updating is the only official measure to protect against this explosion.
From a practical perspective, there are two immediate lessons. The first is that keeping the software up-to-date is still the most effective defense: when a vulnerability allows you to scratch the sandbox and manipulate APIs with privileges, the supplier patch cuts the operating path. The second is that it is necessary to distrust unexpected PDFs, especially if they come from unverified shipments or contain content that seek to draw attention to their sensitive subject; open them in isolated environments or virtual machines reduces the risk of direct impact.
For computer equipment and administrators the recommendation is to prioritize updating in workstations and systems where Acrobat Reader is used on a regular basis, and to review telemetry and logs in search of suspicious PDFs openings during the months when vulnerability was active. In corporate environments, additional measures such as the restriction of macro execution, application blocking policies and data exfiltration protection may limit the scope of a similar attack.
The case also recalls that threat supply chains can take time to be detected by antivirus engines and that community contributions and systems such as EXPMON and VirusTotal are valuable complementary tools to identify samples that would otherwise pass unnoticed. The researcher's technical post that activated the research offers context on how the sample was discovered and what internal detection techniques helped; you can read more on the Haifei Li blog in your personal blog.
If you use Acrobat or Acrobat Reader, do not delay the update: it is the safest and easiest action to close this gap. And if you manage sensitive documents or work in sectors with high attack profiles, it combines the update with isolation and monitoring practices to minimize risk while the ecosystem continues to recover from active holdings.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...