Adobe Reader Zero-Day Exploited Through Malicious PDFs

Hackers have been exploiting a sophisticated vulnerability in Adobe Reader using malicious PDF files since at least December 2025. The flaw, described by EXPMON's Haifei Li, involves PDFs like "Invoice540.pdf" that trick users into opening them, thereby executing hidden JavaScript to steal data and download additional malware. The first such file was detected on VirusTotal in late November 2025, with another appearing in March 2026. Security expert Gi7w0rm noted that these PDFs contain Russian messages related to the oil and gas sector.

The attack leverages a zero-day vulnerability in Adobe Reader, allowing the execution of remote commands and potential sandbox escapes. The malicious PDFs can transmit stolen data to a remote server and download further malicious scripts. Although the specifics of subsequent attacks remain unclear due to server non-responsiveness, the capability to exfiltrate data and execute code poses significant risks.

Adobe has addressed the vulnerability (CVE-2026-34621) with updates, given its high severity (CVSS score: 9.6). Meanwhile, a 2026 Ponemon study highlights ongoing weaknesses in identity programs, emphasizing the need for effective identity management, particularly in AI applications. The session offers practical strategies for addressing these challenges, alongside free resources and insights from industry leaders.

Stay secure — stay Wavasec. 🔐