Simply opening a PDF could trigger this Adobe Reader zero-day
Opening the wrong PDF in Adobe Reader was enough to let criminals quietly spy on your computer and unleash more attacks, even though everything looked normal.
How to build your own AI agents with Google Workspace Studio
Opening the wrong PDF in Adobe Reader was enough to let criminals quietly spy on your computer and unleash more attacks, even though everything looked normal.
A researcher analyzed a malicious PDF and found that it abused a previously unknown flaw (a “zero‑day”) in Adobe Acrobat Reader.
When a victim simply opens this PDF, hidden code inside it can read files that Acrobat Reader should not be allowed to access and send them to an attacker’s server. Some tests show that it allows attackers to pull in additional malicious code from a remote server and run it on the victim’s machine, potentially escaping Adobe’s sandbox protections.
In its security bulletin, Adobe acknowledges that the vulnerability tracked as CVE-2026-34621, is being exploited in the wild.
The issue impacts the following products and versions for both Windows and macOS:
Acrobat DC versions 26.001.21367 and earlier (fixed in 26.001.21411)
Acrobat Reader DC versions 26.001.21367 and earlier (fixed in 26.001.21411)
Acrobat 2024 versions 24.001.30356 and earlier (fixed in 24.001.30362 for Windows and 24.001.30360 for macOS)
Exploitation requires you to open a malicious PDF, but nothing more. No extra clicks or permissions are needed. The researcher found malicious samples using this exploit dating back to November 11, 2025.
Testing showed that a successful exploitation can:
Pull in JavaScript from a remote server and execute it inside Adobe Reader.
Steal arbitrary local files and send them out, proving real‑world data theft is possible even without a full remote code execution chain.
How to stay safe
The easiest way to stay safe is to install the emergency update.
The latest product versions are available to end users via one of the following methods:
Manually: Go to Help > Check for updates
Automatically: Updates install without user intervention when detected
Direct download: Available from the Acrobat Reader Download Center
For IT administrators (managed environments):
Refer to the relevant release notes for installer links
Deploy updates using AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or Apple Remote Desktop/SSH (macOS)
If you’re unable or unwilling to update right away:
Be extra cautious with PDFs from unknown senders or unexpected attachments, even after patching, as attackers may pivot to new variants.
Use an up-to-date, real-time anti-malware solution to block known malicious servers and detect malware and exploits.
Carefully monitor all HTTP/HTTPS traffic for the “Adobe Synchronizer” string in the User Agent field.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
The post Simply opening a PDF could trigger this Adobe Reader zero-day appeared first on Malwarebytes.
*** This is a Security Bloggers Network syndicated blog from Malwarebytes authored by Malwarebytes. Read the original post at: https://www.malwarebytes.com/blog/news/2026/04/simply-opening-a-pdf-could-trigger-this-adobe-reader-zero-day
About Author
