Adobe Issues Emergency Patch for Critical PDF Flaw Exploited For Months
Adobe rushed an emergency patch for a critical flaw under active attack.
Discovered by security researcher and EXPMON founder Haifei Li, the high-severity vulnerability has been exploited in the wild since at least December 2025, according to multiple reports. It has been assigned a CVSS score of 8.6 out of 10 and tracked as CVE-2026-34621.
The exploit carries such gravitas that Adobe had to release an emergency patch for all affected products and urged users to update them immediately, as no workaround is available.
How malicious PDFs bypassed Adobe’s sandbox
Bugs in software may look like ordinary mistakes and sometimes cause minor glitches. However, beyond those low-risk consequences lies a gap that, if exploited by hackers, can snowball into a massive security incident.
That is exactly what happened in this case.
While Adobe specializes in many enterprise needs, its service offerings primarily focus on sharing and manipulating files, especially PDFs. Users can send, receive, create, and modify PDFs using the Adobe suite of products. Having a guard at the door to block malicious PDFs is necessary, and they implemented it.
Hackers, however, were able not only to bypass the guard and send malicious PDF attachments but also to invoke privileged JavaScript APIs. This further allowed them to execute arbitrary code.
According to BleepingComputer, the hackers abuse JavaScript APIs like util.readFileIntoStream() to access local files within their victim’s device, and RSS.addFeed() to send the accessed data out to a remote server, while fetching more malicious code.
In a blog post detailing the incident, Haifei Li, the founder of EXPMON exploit detection system, notes that the zero-day exploit was observed and analyzed in March when “someone submitted a PDF sample on EXPMON.” The sample, named yummy_adobe_exploit_uwu.pdf, “triggered one of EXPMON’s advanced ‘detection in depth’ features,” which Li said was developed specifically for Adobe.
The defense-in-depth analysis prompted Li to dig deeper, leading him to discover something even more worrying.
First, on VirusTotal, the exploit had just 5/64 security vendors flag it as malicious. Secondly, in addition to its Remote Code Execution (RCE) capability, which could lead to a complete device takeover, the exploit can steal a wide range of sensitive files from its victims.
Affected Adobe products and their available fixes
Upon receiving Li’s disclosure, Adobe in April released a public bulletin informing users of the exploit and confirming that it is “aware of CVE-2026-34621 being exploited in the wild.”
Below are the Adobe products affected by this vulnerability, which have now been patched. This applies to both Windows and macOS users of these products:
- Acrobat DC: Affects versions 26.001.21367 and earlier.
- Acrobat Reader DC: Affects versions 26.001.21367 and earlier.
- Acrobat 2024: Affects versions 24.001.30356 and earlier.
Now that a patch is available, what’s next?
Users are urgently required to update their software to the new version, which carries the fix. To do that, Adobe says users should click on “Help > Check for Updates.” Doing so will automatically download the available update.
For organizations that use the affected Adobe products, their IT admins can update to the latest version by obtaining the product’s installer links and sending them to all members; when installed, these links override the current software and force an update.
A second option allows updates to be installed using either AIP-GPO, bootstrapper, SCUP/SCCM (for Windows), or Apple Remote Desktop and SSH (for Macs).
The standard rules of digital security apply here: even when a patch is available, users should avoid opening suspicious PDFs entirely. If a file comes from an unknown — or even a known, but unsolicited — source, and must be opened, it is safer to do so on an isolated virtual device.
Users should install the emergency update without delay, as neither Adobe nor Haifei Li identified any user-facing indicators for this exploit. This suggests it is a stealth exploit that evades traditional detection methods, which is all the more reason users must immediately get an update.
Also read: Google’s latest emergency browser update shows how quickly active exploits can turn routine patching into a race against attackers.
About Author
