Adobe patches PDF zero-day vulnerability exploited for months by hackers

Adobe has released an urgent security update for its widely-used PDF software, Acrobat and Reader, to fix a critical vulnerability that hackers have been actively exploiting for at least four months. The flaw, tracked as CVE-2026-34621, allows attackers to remotely install malware on a victim’s device simply by tricking them into opening a maliciously crafted PDF file on Windows or macOS. This is a classic PDF zero-day vulnerability that was being used in the wild before Adobe could develop a patch.

According to Adobe’s advisory, the bug affects Acrobat DC, Reader DC, and Acrobat 2024. The company confirmed it is aware of active exploitation, meaning hackers have been leveraging this weakness to break into computers worldwide. While the full scale of the campaign remains unknown, the ubiquity of Adobe’s PDF software makes it a prime target for both cybercriminals and state-sponsored hackers.

How the PDF zero-day vulnerability was discovered

Security researcher Haifei Li, founder of the exploit-detection platform EXPMON, uncovered the CVE-2026-34621 exploit after a malicious PDF was uploaded to his malware scanner. In a detailed blog post, Li revealed that another copy of the same malicious file first appeared on VirusTotal, a popular online malware analysis service, as early as late November 2025. This timeline indicates that attackers had been using the PDF zero-day vulnerability for months before Adobe’s patch.

Li’s analysis showed that opening the poisoned PDF could give the attacker full control over the victim’s system. “This could lead to full control of the victim’s system,” Li wrote, adding that the hacker could then steal a wide range of sensitive data. Unfortunately, it remains unclear who is behind the campaign or what specific targets were chosen, as Li could not retrieve additional exploits from the attacker’s servers.

Why this Adobe security patch matters for users

This Adobe security patch is critical because PDF files are exchanged daily across industries—from legal contracts to academic papers. A malicious PDF malware attack can infiltrate even well-protected networks if a user unknowingly opens a booby-trapped document. The zero-day attack Adobe faced here underscores the persistent threat to widely deployed software.

Adobe has urged all users of Acrobat DC, Reader DC, and Acrobat 2024 to update their software immediately to the latest versions. The patch is available through the software’s automatic update mechanism or via the Adobe website. For enterprise environments, IT administrators should prioritize this update to mitigate the risk of Acrobat Reader bug exploitation.

Protecting against future PDF exploits

Beyond applying the latest patch, users can adopt safer practices to reduce exposure to similar threats. Always verify the source of PDF files before opening them, especially if they arrive unexpectedly via email or downloads. Consider using built-in security features like Adobe’s Protected View, which opens PDFs in a sandboxed environment to limit potential damage.

Security experts also recommend using dedicated PDF readers with enhanced security controls or enabling automatic updates across all software. For organizations, deploying endpoint detection and response (EDR) tools can help identify suspicious behavior linked to malicious PDF malware. As this incident shows, even trusted software can harbor hidden dangers for months before a fix is released.

In conclusion, the PDF zero-day vulnerability patched by Adobe serves as a stark reminder of the evolving threat landscape. Staying vigilant and updating software promptly are the best defenses against such stealthy attacks. For more on securing your digital workspace, check out our guide on cybersecurity best practices for remote teams and learn how to secure PDF files against malware.