- Adobe patches Acrobat Reader zero‑day exploited since Dec 2025
- CVE‑2026‑34621 enabled RCE via malicious PDFs
- Users must update; no workarounds available, defenders urged to monitor traffic
Adobe has released a fix for a vulnerability in Acrobat Reader which was being exploited as a zero-day since December 2025.
The vulnerability is described as an Improperly Controlled Modification of Object Prototype Attributes bug, now tracked as CVE-2026-34621. It enabled remote code execution (RCE) in the context of the current user, and its exploitation requires the victim to open a malicious PDF file.
It was given a severity score of 8.6/10 (high), and affects Acrobat Reader multiple versions:
Article continues below
Acrobat DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Acrobat Reader DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Acrobat 2024 versions 24.001.30356 and earlier (fixed in version 24.001.30362 on Windows, and version 24.001.30360 on Mac)
Highly sophisticated attack
The company said there were no workarounds or mitigations, and that the only way to fix the issue is to update the app. This can be done either through the app itself (by navigating to Help – Check for Updates menu), or by downloading the Acrobat Reader installer from Adobe’s official website.
Security researcher Haifei Li recently found and warned about a “highly sophisticated, fingerprinting-style PDF exploit”.
“This ‘fingerprinting’ exploit has been confirmed to leverage a zero-day/unpatched vulnerability that works on the latest version of Adobe Reader without requiring any user interaction beyond opening a PDF file,” Li said. “Even more concerning, this exploit allows the threat actor to not only collect/steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim’s system.”
A separate report from an analyst with the alias Gi7w0rm says that the PDF lure being used in these attacks references ongoing events in the Russian oil and gas industry, and that it was written in Russian, suggesting who the targets might be.
While Adobe claims no workarounds are available, BleepingComputer noted network defenders could mitigate attacks by monitoring and blocking HTTP/HTTPS traffic with the “Adobe Synchronizer” string in the User-Agent header.
“This zero-day/unpatched capability for broad information harvesting and the potential for subsequent RCE/SBX exploitation is enough for the security community to remain on high alert. This is why we have chosen to publish these findings immediately so users can stay vigilant,” the researcher concluded.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
