Adobe has released an emergency patch for a critical vulnerability in Acrobat Reader that has been actively exploited in the wild for months. The vulnerability, tracked as  CVE-2026-34621, allows attackers to execute code or steal sensitive data simply by convincing a user to open a specially crafted PDF file.

While Adobe typically releases updates on a fixed monthly schedule, the severity and active exploitation of this issue forced the company to issue an out-of-band emergency patch.

What Happened?

The vulnerability was discovered by security researcher Haifei Li through an advanced detection system designed to identify unknown exploit behavior in PDF files. Analysis revealed that attackers had been exploiting this issue since at least late November 2025, indicating a long-running and potentially targeted campaign.

The flaw is described by Adobe as an "Improperly Controlled Modification of Object Prototype Attributes" vulnerability. In practice, it allows attackers to abuse internal Acrobat APIs to perform unauthorized actions within the Reader environment.

How the Attack Works

The attack begins with a malicious PDF containing heavily obfuscated JavaScript. Once opened, the document executes embedded scripts designed to bypass normal restrictions within Adobe Reader. These scripts often contain base64-encoded payloads hidden inside PDF objects, which are decoded and executed at runtime.

After deobfuscation, researchers observed that the exploit performs several actions, including collecting system information, retrieving local file paths, and exfiltrating data to a remote server controlled by the attacker.

The exploit leverages privileged Acrobat APIs such as util.readFileIntoStream() to read local files, and RSS.addFeed() to transmit data and receive additional malicious instructions.

Rather than immediately deploying a full exploit chain, the attack operates in multiple stages. The initial PDF collects system data and sends it to attacker infrastructure, where the target is evaluated and fingerprinted.

Based on this information, attackers may choose to deploy additional payloads such as remote code execution (RCE) or sandbox escape exploits. This selective approach allows attackers to remain stealthy and focus on high-value targets.

Indicators of Compromise (IOCs)

Indicators identified by researchers include suspicious outbound connections and unusual behavior within PDF files.

• Connections to IP addresses such as 169.40.2.68:45191 and 188.214.34.20:34123
• Obfuscated JavaScript and base64-encoded payloads within PDF objects
• Unexpected use of Acrobat APIs in embedded scripts
• Network traffic containing unusual User-Agent strings such as "Adobe Synchronizer"

Affected Versions and Patch

Adobe has released emergency updates for Acrobat Reader DC, Acrobat DC, and Acrobat 2024 across both Windows and macOS platforms.

Users are strongly advised to update immediately, as this vulnerability is actively exploited and can lead to arbitrary code execution.

Organizations should apply updates without delay, avoid opening untrusted PDF files, monitor network activity for suspicious connections, and investigate any systems that may have processed potentially malicious documents.

How BaseFortify Can Help

BaseFortify.eu helps you understand where risks exist across your environment by mapping software components to known vulnerabilities.

For example, you can represent Adobe Reader installations using:

cpe:2.3:a:adobe:acrobat_reader:26.001.21411:*:*:*:*:*:*:*

This allows you to quickly identify affected systems, correlate them with vulnerabilities like CVE-2026-34621, and prioritize remediation. Registration is open to everyone, and a Free subscription is available.

Final Thoughts

This vulnerability highlights how sophisticated PDF-based attacks have become. By combining obfuscation, staged payload delivery, and system fingerprinting, attackers can operate with high precision while avoiding detection.

Resources

• https://www.security.nl/posting/932315/Adobe+komt+met+noodpatch+voor+actief+aangevallen+lek+in+Acrobat+Reader
• https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html