Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

AndyC 10 April 2026

Ravie LakshmananApr 09, 2026Vulnerability / Threat Intelligence

Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025.

Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

Ravie LakshmananApr 09, 2026Vulnerability / Threat Intelligence

Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025.

The finding, detailed by EXPMON’s Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact (“Invoice540.pdf”) first appeared on the VirusTotal platform on November 28, 2025. A second sample was uploaded to VirusTotal on March 23, 2026.

Given the name of the PDF document, it’s likely that there is an element of social engineering involved, with the attackers luring unsuspecting users into opening the files on Adobe Reader. Once launched, it automatically triggers the execution of obfuscated JavaScript to harvest sensitive data and receive additional payloads.

Security researcher Gi7w0rm, in an X post, said the PDF documents observed contain Russian language lures and refer to issues regarding current events related to the oil and gas industry in Russia.

“The sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits,” Li said.

“It abuses zero-day/unpatched vulnerability in Adobe Reader that allows it to execute privileged Acrobat APIs, and it is confirmed to work on the latest version of Adobe Reader.”

It also comes with capabilities to exfiltrate the collected information to a remote server (“169.40.2[.]68:45191”) and receive additional JavaScript code to be executed.

This mechanism, Li argued, could be used to collect local data, perform advanced fingerprinting attacks, and set the stage for follow-on activity, including delivering additional exploits to achieve code execution or sandbox.

The exact nature of this next-stage exploit remains unknown as no response was received from the server. This, in turn, could imply the local testing environment from which the request was issued did not meet the necessary criteria to receive the payload. 

“Nevertheless, this zero-day/unpatched capability for broad information harvesting and the potential for subsequent RCE/SBX exploitation is enough for the security community to remain on high alert,” Li said.

(This is a developing story. Please check back for more details.)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

What do you feel about this?

More Stories

ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories

ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories

AndyC 10 April 2026
The Hidden Security Risks of Shadow AI in Enterprises

The Hidden Security Risks of Shadow AI in Enterprises

AndyC 10 April 2026
Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region

Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region

AndyC 10 April 2026
New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy

New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy

AndyC 9 April 2026
Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices

Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices

AndyC 9 April 2026
APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

AndyC 9 April 2026

You may have missed

Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

AndyC 10 April 2026
Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

AndyC 10 April 2026
The Web Is Full of Traps — and AI Agents Walk Right into Them

OpenAI Readies Rollout of New Cyber Model as Industry Shifts to Defense

AndyC 10 April 2026
[un]prompted 2026 – Al Go Beep Boop!

Aembit IAM for Agentic AI Is Now Generally Available

AndyC 10 April 2026
Chrome, Vivaldi, and the challenge of changing browsers

React2DoS (CVE-2026-23869): When the Flight Protocol Crashes at Takeoff

AndyC 10 April 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.