Adobe Reader zero-day exploited via malicious PDFs security flaw
Vulnerability
Summary
Hide ▲
Show ▼
Adobe Reader is facing an actively exploited zero-day delivered through malicious PDF documents and observed since at least December. The flaw works on the latest version of Adobe Reader with no interaction beyond opening a PDF, creating a high-risk file-open compromise path. It has been used to steal local information and may enable follow-on RCE/SBX attacks for deeper system control. No patch was available in the reporting window, so the immediate risk was exposure from untrusted PDFs and suspicious Adobe Synchronizer traffic.
Related Happenings
CISA KEV order for BlueHammer patching
Public Sector Action
First: 23.04.2026 14:05
Last: 23.04.2026 14:05
Sources 1
About this happening:
**CISA** ordered **Federal Civilian Executive Branch agencies** to patch **Windows** systems against **CVE-2026-33825** within **two weeks** after adding the flaw to the **KEV Cat...
CISA KEV order for BlueHammer patching
Public Sector ActionAbout this happening: **CISA** ordered **Federal Civilian Executive Branch agencies** to patch **Windows** systems against **CVE-2026-33825** within **two weeks** after adding the flaw to the **KEV Cat...
Windows zero-day exploitation wave
Exploitation Wave
First: 17.04.2026 09:14
Last: 17.04.2026 09:14
Sources 1
About this happening:
**BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Windows zero-day exploitation wave
Exploitation WaveAbout this happening: **BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Latest development: 23.04.2026 14:05
CISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.
Magento checkout skimmer campaign targeting nearly 100 stores
Campaign
First: 09.04.2026 01:34
Last: 09.04.2026 01:34
Sources 1
About this happening:
A **Magento** checkout skimmer campaign is compromising **nearly 100 online stores** and stealing payment data at the point of sale, putting shoppers’ card details at immediate ri...
Magento checkout skimmer campaign targeting nearly 100 stores
CampaignAbout this happening: A **Magento** checkout skimmer campaign is compromising **nearly 100 online stores** and stealing payment data at the point of sale, putting shoppers’ card details at immediate ri...
Magento Open Source v2 and Adobe Commerce PolyShell mass exploitation
Exploitation Wave
First: 25.03.2026 23:40
Last: 25.03.2026 23:40
Sources 1
About this happening:
**PolyShell** exploitation is now underway against **Magento Open Source v2** and **Adobe Commerce**, with attackers reaching **56.7%** of vulnerable stores. The surge began on **...
Magento Open Source v2 and Adobe Commerce PolyShell mass exploitation
Exploitation WaveAbout this happening: **PolyShell** exploitation is now underway against **Magento Open Source v2** and **Adobe Commerce**, with attackers reaching **56.7%** of vulnerable stores. The surge began on **...
Latest development: 09.04.2026 01:34
Sansec reported a new campaign against nearly 100 Magento online stores in which attackers hide a credit card skimmer inside a 1x1-pixel SVG element with an onload handler, display a fake Secure Checkout overlay on checkout, validate submitted card data with Luhn, and exfiltrate payment details to attacker infrastructure; the researchers also identified six exfiltration domains hosted by IncogNet LLC (AS40663).
Magento Open Source and Adobe Commerce PolyShell unauthenticated RCE flaw
Vulnerability
First: 19.03.2026 22:01
Last: 19.03.2026 22:01
Sources 1
About this happening:
**PolyShell** is a **Magento Open Source** and **Adobe Commerce** vulnerability that can enable **unauthenticated code execution** and **account takeover** across **stable version...
Magento Open Source and Adobe Commerce PolyShell unauthenticated RCE flaw
VulnerabilityAbout this happening: **PolyShell** is a **Magento Open Source** and **Adobe Commerce** vulnerability that can enable **unauthenticated code execution** and **account takeover** across **stable version...
Timeline
-
13.04.2026 18:37 1 articles · 1mo ago
Adobe issues emergency Acrobat Reader update for CVE-2026-34621
Mitigation Patch UpdateAdobe released an emergency security update for Acrobat Reader to fix CVE-2026-34621 after zero-day exploitation in malicious PDF files. The bulletin says Acrobat DC versions 26.001.21367 and earlier, Acrobat Reader DC versions 26.001.21367 and earlier, and Acrobat 2024 versions 24.001.30356 and earlier are affected, and Adobe recommends updating through Help > Check for Updates or the official installer.
Show sources
- Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw — www.bleepingcomputer.com — 13.04.2026 18:37
-
09.04.2026 12:22 1 articles · 1mo ago
Haifei Li warns of Adobe Reader zero-day exploited via malicious PDFs
Initial DisclosureHaifei Li warned that attackers have been exploiting an undisclosed Adobe Reader zero-day with maliciously crafted PDF documents since at least December, using a highly sophisticated fingerprinting-style PDF exploit that works on the latest version of Adobe Reader without user interaction beyond opening a PDF file. The exploit can steal local information through util.readFileIntoStream and RSS.addFeed Acrobat APIs, may enable subsequent RCE/SBX attacks, and prompted advice for Adobe Reader users to avoid PDF documents from untrusted contacts until Adobe releases security updates; Gi7w0rm also found Russian-language lures in the weaponized PDFs.
Show sources
- Hackers exploiting Acrobat Reader zero-day flaw since December — www.bleepingcomputer.com — 09.04.2026 12:22