Critical Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025
Since December 2025, cybercriminals have been actively exploiting a previously unknown zero-day vulnerability in Adobe Reader by distributing maliciously crafted PDF documents. This sophisticated exploit was first identified by security researcher Haifei Li from EXPMON, who detailed the attack in a recent report.
The initial discovery of this exploit traces back to a PDF file named Invoice540.pdf, which was uploaded to the VirusTotal platform on November 28, 2025. A subsequent sample appeared on March 23, 2026, indicating ongoing malicious activity. The naming convention of the PDF suggests that attackers are employing social engineering tactics, enticing users to open the files under the guise of legitimate invoices.
Upon opening the malicious PDF in Adobe Reader, the document automatically executes obfuscated JavaScript code. This code is designed to harvest sensitive information from the victim’s system and establish communication with a remote server to receive additional payloads. Notably, some of these malicious PDFs contain Russian language lures, referencing current events in the Russian oil and gas industry, as observed by security researcher Gi7w0rm.
The exploit leverages an unpatched vulnerability in Adobe Reader, allowing it to execute privileged Acrobat APIs. This capability has been confirmed to function on the latest version of Adobe Reader, posing a significant risk to users. The exploit’s primary functions include collecting and exfiltrating various types of information to a remote server located at 169.40.2[.]68:45191. Additionally, it can receive and execute further JavaScript code, potentially leading to remote code execution (RCE) and sandbox escape (SBX) exploits.
The exact nature of the subsequent payloads remains unknown, as no response was received from the remote server during analysis. This could suggest that the testing environment did not meet specific criteria required by the attackers to deliver the next-stage payload. Despite this, the existence of a zero-day vulnerability capable of extensive information harvesting and potential RCE/SBX exploitation underscores the need for heightened vigilance within the security community.
Adobe has been notified of this critical vulnerability. Users are strongly advised to exercise caution when opening PDF files from unknown or untrusted sources. It is recommended to keep Adobe Reader updated to the latest version and to apply any security patches as soon as they become available. Additionally, employing robust endpoint protection solutions and maintaining regular backups can help mitigate the risks associated with such exploits.
This incident highlights the persistent threat posed by zero-day vulnerabilities and the importance of proactive security measures. Organizations and individuals alike must remain vigilant, ensuring that their software is up-to-date and that they are aware of the latest security threats and best practices.
