Adobe Reader - Zero-Day Vulnerability Under Active Exploitation
Significant risk โ action recommended within 24-48 hours
Hackers found a way to trick Adobe Reader into running bad code when you open certain PDF files. This can let them steal your information or take control of your computer. It's been happening since last December, and there's no fix yet, so be careful with PDFs for now!
A zero-day vulnerability in Adobe Reader has been exploited since December 2025, allowing attackers to execute privileged APIs via malicious PDFs. Security experts urge immediate action.
The Flaw
On April 7, 2026, security researcher Haifei Li revealed a zero-day vulnerability in Adobe Reader that has been exploited since at least December 2025. This vulnerability allows threat actors to execute privileged Acrobat APIs through specially crafted malicious PDF files that run obfuscated JavaScript upon opening. The exploit leverages functions like util.readFileIntoStream() to access local files and collect sensitive information, which is then sent to a remote server using RSS.addFeed(). This sophisticated attack method indicates a high level of technical skill and planning by the attackers.
What's at Risk
The attacks primarily target users in the Russian oil and gas sector, as indicated by the Russian-language lures found in the malicious documents. The exploitation can lead to significant risks, including the theft of sensitive user and system data, remote code execution (RCE), and potential sandbox escape (SBX) exploits. Researchers have confirmed that the vulnerability operates on the latest version of Adobe Reader, heightening the urgency for users to address this issue.
Patch Status
As of now, there is no official patch available from Adobe for this vulnerability. Security experts are urging organizations to remain vigilant and monitor for any updates from Adobe regarding a fix.
Immediate Actions
Organizations are advised to take the following steps to mitigate risks:
- Automatically scan PDF email attachments for potential threats.
- Block suspicious files and educate users about the dangers of unsolicited attachments.
- Temporarily avoid using Adobe Reader to open PDFs until a patch is released.
- Engage with cybersecurity communities to analyze the exploit further and understand its implications.
Technical Details
The malicious PDFs, including samples named "Invoice540.pdf," have been flagged on platforms like VirusTotal, with detection rates as low as 13 out of 64 antivirus engines. This highlights the sophistication of the attack, which may evade traditional security measures. The ongoing exploitation of this zero-day vulnerability underscores the need for advanced detection methods and expert analysis to identify and respond to such threats effectively.
Protections and Threat Indicators
Sophos has identified specific protections related to this threat, including:
- Troj/PDFโBG
- Malware/Callhome
The threat indicators for detecting this activity include various hashes associated with the malicious PDF samples and known IP addresses linked to command and control servers used in the attacks. Notably, the IP address 169.40.2.68:45191 and a new variant connecting to 188.214.34.20:34123 have been highlighted as part of the exploit's infrastructure.
This situation remains fluid, and security researchers continue to analyze the exploit's capabilities and its impact on users worldwide. Organizations are encouraged to stay informed and proactive in their cybersecurity measures.
๐ How to Check If You're Affected
- 1.Monitor for unusual PDF file behavior in Adobe Reader.
- 2.Check for known malicious hashes associated with the exploit.
- 3.Implement advanced threat detection systems for PDF attachments.
The exploitation of this zero-day vulnerability highlights the importance of advanced detection methods in identifying sophisticated attacks that traditional security tools may miss. Organizations should prioritize user training and implement robust scanning measures for PDF files.