Adobe Fixes Critical Acrobat Reader Flaw Under Active Attack
▼ Summary
– Adobe released an emergency security update to patch a critical zero-day vulnerability (CVE-2026-34621) in Acrobat Reader, which has been actively exploited since November 2025.
– The vulnerability is a prototype pollution flaw in JavaScript that allows attackers to execute arbitrary code, but it requires a user to open a malicious PDF file.
– Its exploitation was discovered after malicious PDFs, which contained Russian text about gas supply disruptions, were submitted to a public exploit detection system.
– Once opened, the malicious files fingerprint the victim’s system and send the data to an attacker-controlled server, with the potential to launch further exploits.
– Adobe has patched the flaw in specific versions of Acrobat DC, Acrobat Reader DC, and Acrobat 2024, urging immediate installation or advising users to avoid untrusted PDFs as a temporary mitigation.
Adobe has released an urgent security patch for a critical zero-day vulnerability in its Acrobat Reader software, which attackers have been actively exploiting since late last year. The flaw, tracked as CVE-2026-34621, is a prototype pollution vulnerability in JavaScript that enables arbitrary code execution on a victim’s system. Successful exploitation requires user interaction, specifically opening a malicious PDF file, but it cannot be triggered remotely without that action.
Security researcher Haifei Li identified the in-the-wild attacks after a malicious PDF sample was submitted to the EXPMON detection system. Analysis revealed that the weaponized documents perform system fingerprinting upon opening, sending collected data to an attacker-controlled command and control server. The exploit can also retrieve and launch additional payloads from that server, though researchers could not trigger this secondary stage. Malware analyst Giuseppe Massaro noted the malicious PDFs contained Russian-language text referencing gas supply disruptions and emergency response protocols.
Adobe has addressed the vulnerability in the latest versions of its software. The updates cover Acrobat DC and Acrobat Reader DC v26.001.21411 for Windows and macOS, as well as Acrobat 2024 versions 24.001.30362 for Windows and 24.001.30360 for macOS. The company strongly urges all administrators to deploy the patch immediately.
For organizations unable to apply the update right away, researchers recommend enforcing strict policies against opening PDFs from untrusted sources. Security teams should also monitor endpoints for suspicious activity and consider blocking all HTTP and HTTPS traffic containing the “Adobe Synchronizer” string in the User Agent header, a potential indicator of related malicious communication.
(Source: Help Net Security)
