Adobe Acrobat Reader Zero-Day Exploited Since Last Year
▼ Summary
– A zero-day vulnerability in Adobe Acrobat Reader has been actively exploited via malicious PDF files since at least November 2025.
– The exploit uses JavaScript within PDFs to collect system information and send it to an attacker-controlled server.
– The attack is believed to target Russian-speaking entities, as the PDFs use decoy documents related to gas supply disruptions.
– Adobe has been notified but has not yet released a security update to fix the vulnerability.
– As a temporary defense, users should avoid untrusted PDFs and security teams can block specific servers or network traffic patterns.
A critical zero-day vulnerability in Adobe Acrobat Reader has been actively exploited by threat actors since at least November 2025, according to security researcher Haifei Li. The attack leverages malicious PDF files to execute code and gather sensitive system information from victims.
The discovery was made after a suspicious PDF file was submitted to EXPMON, a sandbox-based detection system co-created by Li. The file, which triggered advanced detection features, was also found on VirusTotal with a variant dating back to late last year. Analysis shows the booby-trapped PDF files execute heavily obfuscated JavaScript upon opening. This script performs advanced fingerprinting, collecting data such as the operating system version, language settings, and the local path of the PDF file before exfiltrating it to a remote server controlled by the attacker.
Crucially, the mechanism is designed to fetch and launch additional payloads from the attacker’s server, potentially enabling remote code execution or sandbox escape exploits. During Li’s analysis, the server did not deliver a follow-up exploit, possibly due to IP blocking or unmet conditions on the server side, a tactic consistent with targeted attacks.
Independent analysis by malware researcher Giuseppe Massaro revealed the PDFs use Russian-language documents as visual decoys. The content, discussing gas supply disruptions and emergency responses, strongly suggests the intended targets are Russian-speaking entities within government, energy, or critical infrastructure sectors.
Adobe has been notified of the actively exploited vulnerability, but a security patch is not yet available. The exploit is confirmed to work on the latest version of Acrobat Reader. Until a fix is released, users must exercise extreme caution. Li recommends avoiding PDF files from untrusted sources entirely. For enterprise security teams, he advises blocking the identified attacker-controlled servers at IP addresses 169.40.2.68 and 188.214.34.20. A more robust mitigation is to block all HTTP/HTTPS traffic containing the “Adobe Synchronizer” string in the User-Agent header.
Massaro adds that defenders should monitor endpoints for specific suspicious activities. These include the AdobeCollabSync.exe process making external network connections and PDF JavaScript calling the RSS.addFeed() or util.readFileIntoStream() APIs. Proactive monitoring for these indicators of compromise is essential for detecting potential intrusions stemming from this campaign.
(Source: Help Net Security)