Vulnerabilities

Adobe Reader Zero-Day Exploited for Weeks Before Patch Existed

3 Min Read / April 9, 2026

Adobe Reader Zero-Day Exploited for Weeks Before Patch Existed

Attackers have been inside Adobe Reader systems for four months before anyone caught them. The zero-day vulnerability, discovered by EXPMON researcher Haifei Li has been actively exploited since December 2025 through weaponised PDF documents. The exploit requires no user interaction beyond opening a malicious PDF file and works on the latest version of Adobe Reader without any available patch.

The vulnerability abuses privileged Acrobat APIs to steal local files and perform advanced system fingerprinting. According to BleepingComputer, the attacks have been targeting Adobe users for at least four months using what Li described as a “highly sophisticated, fingerprinting-style PDF exploit” to deploy additional exploits after the initial data theft.

Russian Oil Industry Lures and Selective Targeting

Threat intelligence analyst Gi7w0rm found that PDF documents in these attacks contain Russian-language lures referencing ongoing events in the Russian oil and gas industry. The sophisticated targeting suggests this is not opportunistic malware but a focused intelligence collection operation.

The malware uses heavily obfuscated JavaScript buried within PDF objects to hide its intent. Once decoded, the script collects detailed system information including language settings, Adobe Reader version, operating system details and the local file path of the opened PDF. This data is sent to attacker-controlled servers to determine if the compromised machine meets specific target criteria.

EXPMON’s analysis found that the exploit abuses two privileged Acrobat APIs: util.readFileIntoStream() to read arbitrary files from the victim’s system and RSS.addFeed() to exfiltrate stolen data to remote servers. In controlled testing, researchers proved the exploit could read files from the Windows system32 folder and transmit them to attacker infrastructure.

Detection Evasion and Infrastructure Analysis

The original malicious PDF, submitted under the filename “yummy_adobe_exploit_uwu.pdf”, scored just 5 detections out of 64 on VirusTotal. This low detection rate highlights how traditional antivirus engines struggle to identify advanced exploit-only attacks that do not rely on conventional malware signatures.

GitHub forensic analysis by researcher N3mes1s revealed only two samples exist in VirusTotal’s database indicating this is “extremely low-volume, highly targeted activity”. The command and control infrastructure shows deliberate operational security, the C2 listener on port 34123 has never been visible to internet-wide scans, suggesting the servers are either firewall-filtered to specific IP ranges or run on-demand when targets open the PDF.

Network defenders are advised to monitor for suspicious HTTP requests where the User-Agent string contains “Adobe Synchronizer” which the exploit uses for outbound communication.

No Patch Exists; Adobe Notified

Li has disclosed the vulnerability to Adobe, but no security update is available at the time of publication. The researcher warned that the exploit’s “fingerprinting capability for broad information harvesting and the potential for subsequent RCE/SBX exploitation is enough for the security community to remain on high alert”.

Until Adobe releases a patch, users should avoid opening PDF documents from untrusted sources. Security teams should also submit suspicious PDF samples to EXPMON’s public analysis service which has demonstrated the ability to detect advanced exploit-only PDF attacks that may evade traditional malware detection tools.

This is the latest in a series of Adobe Reader zero-days exploited in the wild. Previous incidents include CVE-2023-26369 and CVE-2023-21608, both of which CISA added to its Known Exploited Vulnerabilities catalogue after confirming active exploitation.