About Remote Code Execution - Adobe Reader (CVE-2026-34621) vulnerability. Adobe Acrobat Reader (from 2003 to 2015, "Adobe Reader") is a free PDF viewer developed by Adobe. Versions are available for Windows, macOS, Android, and iOS. The remote code execution vulnerability in Adobe Acrobat for Windows and macOS is caused by improper handling of object prototype attributes (CWE-1321 - "Prototype Pollution"). Successful exploitation of the vulnerability allows an attacker to execute arbitrary code on the target system when the victim opens a specially crafted document.

👾 Researcher Haifei Li, the developer of EXPMON - a sandbox-based system designed to detect file-based zero-days and hard-to-detect exploits - reported the vulnerability and the existence of a working exploit on April 7. Earlier, on March 26, an unknown individual uploaded a malicious PDF sample named yummy_adobe_exploit_uwu.pdf to the public EXPMON service.

According to the analysis results, the sample behaved like an initial exploit capable of collecting and transmitting various types of information to the attacker, potentially followed by arbitrary code execution (RCE) and sandbox escape (SBX) exploits. It used a zero-day vulnerability in Adobe Reader that allowed it to invoke privileged Acrobat APIs. The exploit was confirmed to work on the latest version of Acrobat. Specifically, it abused the "util.readFileIntoStream()" API, which allows arbitrary files accessible to the isolated Reader process to be read from the local system. This enabled the malware to collect a wide range of information from the victim's machine and steal data from local files. The "RSS.addFeed()" API was used to send the collected information to a remote server and retrieve additional JavaScript code for execution. Such a mechanism allows attackers to gather user information, steal local data, perform advanced fingerprinting, and further develop the attack. If the target matched the attacker's criteria, an additional exploit could then be delivered to achieve RCE or SBX. However, during testing, the researcher was unable to obtain the additional exploit payload - although the server was reachable, it did not respond. This may have been caused by several factors. For example, the local testing environments may not have matched the specific criteria expected by the attacker.

On April 8, another malicious file sample was discovered on VirusTotal. The file had originally been uploaded on November 28, 2025, indicating that this 0day/APT campaign had been active for at least four months.

On April 9, researcher Gi7w0rm reported signs of active exploitation of the vulnerability in attacks. The attacks used malicious Russian-language documents disguised as materials related to Russia's oil and gas sector as phishing lures. Based on the observed targeting, the campaign appears to have been aimed at specific Russian organizations.

On April 13, the vulnerability was added to the CISA KEV catalog.

⚙️ The Adobe security bulletin was published on April 12. Affected versions include Acrobat DC 26.001.21367 and earlier, Acrobat Reader DC 26.001.21367 and earlier, and Acrobat 2024 24.001.30356 and earlier. The vulnerability has been fixed in Acrobat DC 26.001.21411, Acrobat Reader DC 26.001.21411, and Acrobat 2024 (Windows: 24.001.30362/Mac: 24.001.30360).

Adobe recommends that users of affected versions update their applications via “Help > Check for Updates”, which triggers the automatic update process. Alternatively, users can download the Acrobat Reader installer directly from Adobe's official portal.

The bulletin notes that Adobe is aware of active exploitation of vulnerability CVE-2026-34621 in the wild.

🛠 No public exploits have been observed so far.

💡 PDF files received from untrusted or unexpected sources should always be treated with caution and opened in isolated (sandboxed) environments. 😉