Adobe Acrobat Zero-Day Was Live for Five Months
CVE-2026-34621 is a prototype pollution zero-day in Adobe Acrobat Reader, exploited in the wild since November 2025 via invoice and legal PDF lures.
Somewhere between November 2025 and last week, attackers had a working zero-day in Adobe Acrobat Reader. Adobe shipped the patch on April 13. For five months, opening the wrong PDF at the wrong time was enough to hand over your laptop.
What Is CVE-2026-34621?
CVE-2026-34621 is a prototype pollution vulnerability in the JavaScript engine inside Adobe Acrobat and Acrobat Reader. Adobe assigned it a CVSS score of 8.6 and CISA added it to the Known Exploited Vulnerabilities catalog the same day the patch landed. Federal agencies have until April 27 to get their systems updated. The rest of us have whenever, which is a problem because attackers have been using it for months.
The flaw is classified as CWE-1321, prototype pollution. If that phrase is new, here is the short version. JavaScript objects inherit properties from their prototype. If an attacker can modify properties on the prototype of a base object (like Object.prototype), every object in the runtime inherits those changes, including objects the surrounding application expected to be trustworthy. The result is a path from “I control one input” to “I control properties the security code is checking.”
Acrobat Reader has a full JavaScript engine. PDFs can embed and execute JavaScript when the file is opened. Combining prototype pollution with a scripting engine that has access to internal APIs means a malicious PDF can rewrite the assumptions that security checks rely on, then reach code that was never supposed to be reachable from a document.
The Timeline
| Date | Event |
|---|---|
| November 2025 | First observed in-the-wild exploitation (per EXPMON telemetry) |
| April 9, 2026 | Security researcher Haifei Li reports active exploitation to Adobe after malicious samples are submitted to EXPMON |
| April 13, 2026 | Adobe releases emergency patch APSB26-43 |
| April 13, 2026 | CISA adds CVE-2026-34621 to Known Exploited Vulnerabilities catalog |
| April 27, 2026 | Deadline for Federal Civilian Executive Branch agencies to patch |
Five months between first exploitation and first fix. During that window, anyone who opened the right PDF from the right sender got owned without knowing it happened.
The Attack Chain
Exploitation looks like standard document-based phishing. Spear-phishing emails carry PDF attachments with themes designed to get opened: invoices, legal documents, HR communications. A Swiss Treuhander receives a PDF labeled “Rechnung April 2026.” A law firm gets “Vertragsentwurf_final.pdf.” An HR office opens “Bewerbung_Schweizer.pdf.” None of this looks unusual. This is the normal shape of Swiss business email.
Inside the PDF is obfuscated JavaScript that triggers the prototype pollution. The exploit abuses the mutated prototype chain to gain arbitrary code execution in the context of the current user. At that point, the malware:
- Fingerprints the system (OS version, Acrobat version, logged-in user, domain membership)
- Phones home to an attacker-controlled command server
- Waits for a second-stage payload
Researchers who analyzed the samples could not trigger the second stage. The C2 servers either went silent or started filtering requests after public disclosure. What the second stage does is unknown, but the first stage already hands over enough information to plan an intrusion.
One of the samples contained Russian-language text about gas supply disruptions and emergency response procedures. That does not prove state-level attribution on its own, but it strongly suggests the campaign is not opportunistic crime. Targeted, topical lures mean someone is selecting the victim before hitting send. This is the same file-as-delivery-mechanism pattern we covered with the Notepad markdown RCE last month, and it keeps working for the same reason. People open files they were expecting to receive, and most file formats still permit scripting.
Am I Affected?
If you run Acrobat or Reader on any Windows or macOS machine in your organization, check the version.
Vulnerable versions:
- Adobe Acrobat (Classic 2024) up to and including 24.001.30356
- Adobe Acrobat DC / Reader DC (Continuous) up to and including 26.001.21367
Patched versions:
- Acrobat DC / Reader DC: 26.001.21411
- Acrobat 2024 on Windows: 24.001.30362
- Acrobat 2024 on macOS: 24.001.30360
On Windows, the version is in Help > About Adobe Acrobat Reader. On macOS, open Reader and go to Acrobat Reader > About Adobe Acrobat Reader. If the build number is below the patched version, you are running vulnerable code. Update through the built-in updater or download the installer directly from Adobe. The update is free.
If your organization deploys Reader through an MSI package or software distribution system, push the update today. An old Reader on 50 endpoints is 50 unpatched attack surfaces that all read email.
How to Tell If You Were Compromised
If you suspect exposure, look for behavior consistent with the first-stage fingerprinting and callback.
Outbound connections from AcroRd32.exe or Acrobat.exe. The PDF reader should not be initiating arbitrary network connections. Endpoint tools that log per-process network activity will show this. Anything started by Reader that is not a connection to *.adobe.com is worth investigating.
Unusual process creation from Reader. Reader spawning cmd.exe, powershell.exe, or any shell process is never normal. EDR tools flag this immediately. If you do not run EDR, Sysmon event ID 1 with ParentImage containing AcroRd32.exe or Acrobat.exe is the detection rule to watch.
Unusual PDFs received by finance, legal, or HR staff since November 2025. If you archive email, this is worth searching. Any PDF from an unknown sender that landed around invoice cycles or quarter-end, and whose attachment was opened, is a candidate for review.
If you find evidence of execution, treat the affected endpoint as compromised. Re-imaging is the safe answer. Rotate credentials, browser sessions, and session cookies on that device. Check for lateral movement from that host into the rest of the network, particularly through exposed RDP services and domain authentication logs.
The Broader Pattern
Document formats with embedded scripting are the oldest attack surface on the internet. Macros in Word documents. JavaScript in PDFs. ActiveX in anything, once. Every generation, vendors add sandboxing. Every generation, researchers find a way out. Prototype pollution in Acrobat’s JavaScript engine is this cycle’s version of the same story.
The practical advice has not changed in twenty years, but it still works:
- Keep document readers patched. Adobe patches every month. Auto-update should be on.
- Disable JavaScript in PDF readers by default. In Acrobat Reader:
Edit > Preferences > JavaScript, then uncheck “Enable Acrobat JavaScript”. This breaks some interactive forms, and almost nothing most SMBs actually use. - Sandbox the reader. Reader’s Protected Mode is on by default on Windows. Do not turn it off.
- Assume document-based phishing is happening. It usually is.
None of this replaces watching for behavior on endpoints. Document exploits get in through the user. The damage happens after. If your infrastructure is also exposed (open RDP, an unpatched VPN concentrator, an admin panel reachable from the internet), a compromised laptop becomes lateral movement into the rest of your network within the hour.
Sentinel scans your public infrastructure and shows what an attacker can see from outside. It will not catch a malicious PDF on somebody’s laptop. It will show you where the blast radius ends if that laptop gets owned. Free scan, no account, results in 30 minutes.
The Twist
Attackers exploit the trust we place in standard office documents. Invoices, contracts, memos. The files that move through every Swiss business every day. The whole attack depends on the target opening the file without thinking.
Endolum Hacked uses the same trust in the opposite direction. You create documents that look normal, place them where someone should not be looking, and get an alert the moment one is opened. No macros, no JavaScript, no exploit required. The file just tells you who found it. Free tier available.
Five months is a long time to wait for a patch on the most common document format in professional life. The patch is out now. Install it today. And if you are going to be reading files from strangers for a living (most Swiss SMB staff are), it is worth thinking about which of your own documents could tell you where they have been.