Patch Now: Adobe Fixed Actively Exploited Zero-Day Bug in Acrobat Reader

Published Date: April 14, 2026
Category: ShadowOpsIntel
Share:

Adobe has released a security bulletin (APSB26-43) regarding a severe vulnerability, CVE-2026-34621, affecting Adobe Acrobat and Reader. This vulnerability is of particular concern to security teams because it is currently being exploited in the wild, allowing attackers to execute arbitrary code on affected Windows and macOS systems.

Severity: High

Vulnerability Overview

  • CVE ID: CVE-2026-34621
  • Vulnerability Type: Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’) (CWE-1321)
  • CVSS Score: 8.6 (revised down from 9.6)
  • Exploitation Status: Actively exploited in the wild since at least November
  • Impact: Arbitrary Code Execution
  • Affected Products and Versions:

The vulnerability impacts both Windows and macOS platforms for the following versions:

ProductTrackAffected VersionsFixed Versions
Acrobat DCContinuous26.001.21367 and earlier26.001.21411
Acrobat Reader DCContinuous26.001.21367 and earlier26.001.21411
Acrobat 2024Classic 202424.001.30356 and earlierWindows: 24.001.30362 | Mac: 24.001.30360

Attack Chain

  1. Victim opens malicious PDF
  2. Obfuscated JavaScript executes (base64-encoded payload hidden in a form field object)
  3. Local system fingerprinting: language settings, reader version, exact OS version (parsed from ntdll.dll), local PDF file path
  4. Data exfiltrated to C2 via RSS.addFeed() call
  5. C2 evaluates victim profile; if criteria met, returns encrypted (AES-CTR), compressed follow-on JavaScript payload for RCE/SBX

Recommendations

  1. Adobe recommends users update their Acrobat Reader installations to the latest fixed versions.
  2. Exercise caution with PDFs from untrusted sources.
  3. Monitor and consider blocking outbound HTTP/HTTPS traffic where the User Agent is set to “Adobe Synchronizer”. This string is a key indicator of the exfiltration method used by this exploit.
  4. If business workflows permit, disable JavaScript in Adobe Reader entirely (Edit > Preferences > JavaScript > Uncheck ‘Enable Acrobat JavaScript’). This effectively kills the primary execution engine for this exploit.
  5. Conduct a retro-hunt across mail gateways and file shares for the filename yummy_adobe_exploit_uwu.pdf or similar variants.
  6. Block the IOCs at their respective controls

IOCS

https://www.virustotal.com/gui/collection/1c6b8b94b3ad32fc76dc34f7daf614ac56762c703526ec06f82e0420074192a0/iocs

Source:

  • https://helpx.adobe.com/security/products/acrobat/apsb26-43.html
  • https://www.ampcuscyber.com/shadowopsintel/zero-day-bug-in-acrobat-reader-actively-exploited-in-the-wild/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert