Active exploitation of Adobe Acrobat Reader zero-day via crafted PDFs since December 2025
Summary
Hide ▲
Show ▼
A zero-day vulnerability in Adobe Acrobat Reader has been actively exploited since at least December 2025 using maliciously crafted PDF documents. Threat actors leverage a sophisticated, fingerprinting-style exploit targeting an unpatched flaw, enabling data theft and potential remote code execution or sandbox escape on compromised systems without requiring user interaction beyond opening the PDF. The attacks appear to be selectively targeting users, with phishing lures referencing Russian-language content related to the oil and gas industry.
Timeline
-
09.04.2026 12:22 1 articles · 2h ago
Adobe Acrobat Reader zero-day exploited in the wild since December 2025
Attackers have exploited an unpatched vulnerability in Adobe Acrobat Reader using crafted PDF documents since at least December 2025. The exploit employs a fingerprinting-style technique to evade detection, targets privileged Acrobat APIs for data theft, and enables potential remote code execution or sandbox escape. Phishing PDFs contain Russian-language lures referencing the oil and gas sector, suggesting a targeted campaign.
Show sources
- Hackers exploiting Acrobat Reader zero-day flaw since December — www.bleepingcomputer.com — 09.04.2026 12:22
Information Snippets
-
The zero-day affects the latest version of Adobe Reader and is triggered by opening a specially crafted PDF file.
First reported: 09.04.2026 12:221 source, 1 articleShow sources
- Hackers exploiting Acrobat Reader zero-day flaw since December — www.bleepingcomputer.com — 09.04.2026 12:22
-
Exploitation enables theft of local data via privileged Acrobat APIs (util.readFileIntoStream and RSS.addFeed) and can lead to remote code execution or sandbox escape.
First reported: 09.04.2026 12:221 source, 1 articleShow sources
- Hackers exploiting Acrobat Reader zero-day flaw since December — www.bleepingcomputer.com — 09.04.2026 12:22
-
Attacks have been ongoing for at least four months, with evidence pointing to deployment of additional exploits post-compromise.
First reported: 09.04.2026 12:221 source, 1 articleShow sources
- Hackers exploiting Acrobat Reader zero-day flaw since December — www.bleepingcomputer.com — 09.04.2026 12:22
-
Phishing PDFs contain Russian-language lures referencing events in the Russian oil and gas sector.
First reported: 09.04.2026 12:221 source, 1 articleShow sources
- Hackers exploiting Acrobat Reader zero-day flaw since December — www.bleepingcomputer.com — 09.04.2026 12:22
-
Network defenders are advised to block HTTP/HTTPS traffic containing the "Adobe Synchronizer" string in the User-Agent header as a mitigation.
First reported: 09.04.2026 12:221 source, 1 articleShow sources
- Hackers exploiting Acrobat Reader zero-day flaw since December — www.bleepingcomputer.com — 09.04.2026 12:22