Adobe patched an arbitrary code execution vulnerability in the latest versions of its Acrobat and Reader for Windows and macOS, nearly four months after an attacker first appeared to have begun exploiting it.
The high-severity vulnerability, assigned as CVE-2026-34621, has a CVSS score of 8.6 and stems from a combination of improper input validation and unsafe handling of object attributes. The flaw was initially assigned a CVSS score of 9.6 but Adobe later revised it.
Sophisticated Payload Dropped on Adobe Flaw
Independent security researcher Haifei Li, founder and developer of EXPMON exploit detection system, uncovered the vulnerability when analyzing a maliciously crafted PDF that someone anonymously uploaded to the platform on March 26. Li’s analysis of the file showed it to be a “highly-sophisticated PDF exploit” for a zero-day flaw in Adobe Acrobat and Reader that was at that point unpatched.
His initial investigation showed the malicious PDF had actually been sitting largely unnoticed on the public threat-sharing platform VirusTotal since March 23, with just five out of 64 security tools flagging it as suspicious. Later, he discovered that someone had uploaded another version of the malware to VirusTotal, with this one as far back as Nov. 28, 2025, suggesting that attacks targeting the flaw have been ongoing since at least then.
Li found that an attacker could trigger CVE-2026-34621 simply by getting a user to open the PDF with no additional clicks or permissions required. Once triggered, the booby-trapped PDF file silently fingerprints victims’ systems before deciding whether they are worth attacking further.
“The sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits,” Li wrote on his blog recently. “It abuses zero-day/unpatched vulnerability in Adobe Reader that allows it to execute privileged Acrobat APIs, and it is confirmed to work on the latest version of Adobe Reader.”
Adobe acknowledged the issue in an April 11 advisory and confirmed the flaw had been exploited int the wild. The company released updated versions of the affected software and urged organizations to update to them, citing ongoing exploit activity targeting the vulnerability.
“Exploitation of this issue requires user interaction in that a victim must open a malicious file,” according to CVE-2026-34621‘s description on the NIST’s National Vulnerability Database (NVD).
Stealthy Reconnaissance
The heavily obfuscated malware hidden inside the PDF executes immediately when a victim opens the file, according to Li. Using an Adobe Reader API mechanism, it first gathers detailed information about the victim’s environment, including operating system details, software versions, language settings, and file paths. Rather than immediately deploying a full payload, the malware scouts the system, quietly collecting intelligence and sending it back to attacker-controlled infrastructure for analysis.
In addition to enabling reconnaissance, the malware is simultaneously capable of accessing and extracting sensitive data from compromised systems. Using the same underlying mechanism, it can read files directly from the local machine that potentially include confidential documents, system data, or other sensitive information, and transmit everything it collects to a remote command-and-control (C2) server. Attackers thus gain both a comprehensive picture of the victim’s environment and direct access to files stored on their machine.
During testing, Li was unable to retrieve any follow-up exploit that the attacker might have developed for deployment on systems of interest. However, his testing of the attack code showed the delivery mechanism for the secondary payload working perfectly, meaning the attacker could hit an affected version of Adobe Reader with additional remote code execution (RCE) or sandbox escape (SBX) exploits.
“This exploit allows the threat actor to not only collect/steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim’s system,” he wrote.
Like Adobe, Malwarebytes recommended that organizations update to the newly patched version as soon as possible. Those that are unable or unwilling to do so for any reason should be “extra cautious” when handling PDFs or unexpected attachments from unknown sources, Malwarebytes advised. Organizations should also monitor all HTTP/HTTPS traffic for the ‘Adobe Synchronizer” string in the User Agent field, the security vendor said.
Adobe Acrobat and Reader are frequent targets for attackers because of their broad installed base and deep integration with operating system-level functions. Threat actors for years have used PDFs as an attack delivery mechanism, including in state-sponsored campaigns, ransomware operations, targeted phishing, and other malicious activity. Such attacks have long highlighted the need for organizations to prioritize timely patching of vulnerabilities in Adobe products and to monitor file-based threats in general.
