Adobe has confirmed that attackers have been quietly exploiting a critical zero-day vulnerability in Adobe Acrobat and Reader since at least December 2025 — and the attack requires nothing more than a victim opening a PDF file.
The vulnerability, now tracked as CVE-2026-34621, carries a CVSS score of 9.6 out of 10 and enables arbitrary code execution (where an attacker can remotely run malicious commands on the victim's machine) across both Windows and macOS platforms. Adobe addressed the flaw on April 11, 2026, under security bulletin APSB26-43, assigning the patch a priority-1 rating.
Security researcher Haifei Li of EXPMON — the sandbox-based exploit detection platform — was the first to flag the threat, describing it as a "highly sophisticated, fingerprinting-style PDF exploit" targeting a zero-day in Adobe Reader's privileged application programming interfaces.
The exploit, Li warned, works on the latest version of Adobe Reader without requiring any user interaction beyond opening a PDF. No suspicious link to click. No macro to enable. Just open the file.
Another researcher, posting on X under the name Gi7w0rm, noted that the attack appears to leverage Adobe Reader's JavaScript engine. Notably, the malicious PDF documents observed in the wild contained Russian-language lures referencing the oil and gas industry — suggesting a targeted, potentially nation-state-adjacent campaign rather than opportunistic cybercrime.
This isn't Adobe's first encounter with PDF-based attacks — malicious documents have long been a favoured social engineering tool. But a zero-day that silently executes code the moment a PDF renders is a different category of threat entirely. It essentially turns one of the most universally trusted file formats into a silent weapon.
Adobe has issued a 72-hour update advisory for all affected users.
Affected versions include:
- Acrobat DC / Acrobat Reader DC — version 26.001.21367 and earlier
- Acrobat 2024 — version 24.001.30356 and earlier
The fix is version 26.001.21411. Users can update immediately via Help → Check for Updates. Enterprise admins can deploy patches via AIP-GPO, SCUP/SCCM (Windows), Apple Remote Desktop, or SSH (macOS).
If you haven't already, stop reading and update now.