acrobat-reader-zero-day-exploit-used-in-wild-for-months
Adobe Acrobat Reader Vulnerability Exposes Users to Remote Code Execution Attacks
A previously unknown vulnerability in Adobe Acrobat Reader has been exploited in the wild since at least November 2025, allowing attackers to remotely execute malicious code on victims’ systems.
“The exploit involves a PDF file that, when opened, executes a heavily obfuscated JavaScript code that collects sensitive information from the local system and sends it to an attacker-controlled remote server.” – Haifei Li, security researcher
The script is designed to evade detection by rendering the PDF content as images, concealing the malicious code within the document. The remote server can deliver and launch additional exploits, which can be used to gain unauthorized access to the system or disrupt critical infrastructure.
- Fingerprinting attacks gather detailed information about the victim’s system and environment.
- Russian-language documents displayed as visual decoys suggest that the intended targets are likely Russian-speaking individuals or organizations in the government, energy sector, or infrastructure.
Until a patch is released by Adobe, users are advised to exercise extreme caution when opening PDF files received from untrusted sources. Security teams can take proactive measures by blocking the two attacker-controlled servers and monitoring for specific changes or actions performed on endpoints related to the Adobe Synchronizer string in the User Agent field.
Further research is ongoing, and this article will be updated with any new developments or information provided by Adobe.
About Author
English