Organizations and individual users are urged to patch the Zero Day flaws due to evidence of exploits running in the wild.

Organizations and users running Acrobat and Reader software take note: Adobe has on 12 Apr 2026 confirmed that a critical zero-day flaw had been exploited in cyberattacks since late 2025.

The vulnerability, tracked as CVE-2026-34621, allows attackers to take control of affected systems via malicious PDF files, according to Adobe’s security bulletin.

The bug, rated with a CVSS score of 9.6, stems from prototype pollution within Acrobat’s JavaScript APIs. Attackers have weaponized this weakness by embedding exploit code in booby-trapped PDFs that execute when opened, leading to arbitrary code execution on both Windows and macOS systems. The firm had issued its patch over the weekend, urging users to install it within 72 hours due to confirmed in-the-wild exploitation.

Security researcher Haifei Li of EXPMON had discovered the attack campaign after detecting an unusual PDF submission in late March. Further analysis revealed the first malicious sample, “Invoice540.pdf”, had surfaced back in November 2025, indicating months of undetected exploitation.

Li’s research showed that threat actors leveraged privileged Acrobat JavaScript APIs — specifically util.readFileIntoStream and RSS.addFeed — to read local files, fingerprint victims, and quietly extract system data to remote servers. These staged attacks enabled hackers to profile targets before deploying second-phase malware capable of remote code execution or sandbox evasion.

According to one source, a malware analyst, Giuseppe Massaro, had later determined that the malicious PDFs displayed Russian-language imagery, apparently using fabricated documents about gas supply interruptions and emergency coordination as bait. This points to a campaign directed at Russian-speaking professionals in sectors such as energy, government, or national infrastructure.

Adobe has designated the patch as priority level 1, its highest urgency classification, and confirmed fixes for Acrobat Reader versions 24.001.30356, 26.001.21367, and earlier. For users or organizations unable to apply the update immediately, Adobe recommends disabling JavaScript in Reader, using alternative PDF viewers that lack extended scripting capabilities, and blocking traffic showing the “Adobe Synchronizer” string in HTTP headers.

With attackers continuing to exploit vulnerabilities in popular PDF tools, cybersecurity experts emphasize speedy patch deployment and careful email screening to prevent future compromise.