Home Blog CVE-2026-34621: Adobe Acrobat Reader Zero-Day Exploited for 135 Days Before Patch — Full Attack Chain Analysis
Vulnerability

CVE-2026-34621: Adobe Acrobat Reader Zero-Day Exploited for 135 Days Before Patch — Full Attack Chain Analysis

tarang.parmar0 CEH Apr 13, 2026 6 min read
#Critical#Cybersecurity#RCE#ThreatIntel#Vulnerability

⚠️ CISA KEV Alert: CVE-2026-34621 added to Known Exploited Vulnerabilities catalog on April 13, 2026. FCEB agencies must patch by April 27, 2026.

Adobe has released emergency security updates for a critical zero-day vulnerability in Adobe Acrobat Reader that has been actively exploited in the wild since at least December 2025. Tracked as CVE-2026-34621, the flaw affects both Windows and macOS versions of Acrobat Reader and Acrobat and allows attackers to execute arbitrary code on victim systems by simply convincing a user to open a malicious PDF file.

The vulnerability was first detected by EXPMON founder Haifei Li, who identified sophisticated zero-day exploitation in the wild using a weaponized PDF lure named Invoice540.pdf. The sample first appeared on VirusTotal on November 28, 2025 — over four months before Adobe released a patch — meaning attackers had a significant head start.

Vulnerability Details: CVE-2026-34621

  • CVE ID: CVE-2026-34621
  • CVSS Score: 8.6 (High) — revised from initial 9.6 Critical after Adobe updated attack vector from Network to Local
  • Vulnerability Type: Prototype Pollution leading to Arbitrary Code Execution
  • Affected Products: Adobe Acrobat Reader and Acrobat (Windows and macOS)
  • Patch Status: Fixed in emergency update released April 12, 2026
  • CISA KEV: Added April 13, 2026 — patch deadline April 27, 2026 for federal agencies

Prototype pollution is a JavaScript vulnerability class that allows attackers to manipulate an application’s core object prototypes — the blueprints from which all JavaScript objects are created. When exploited in Adobe Reader’s PDF JavaScript engine, this allows the attacker to inject malicious properties into base objects, ultimately redirecting code execution to attacker-controlled functionality.

How the Attack Works: Zero-Day Exploitation Chain

The attack is delivered entirely through a specially crafted PDF document. Here is the full exploitation chain observed in the wild:

Phase 1 — Social Engineering Delivery

The weaponized PDF files use invoice-themed lures (Invoice540.pdf) to trick targets into opening them. Security researcher Gi7w0rm identified that observed samples contain Russian-language lures referencing issues in the Russian oil and gas industry — suggesting targeted spear-phishing against energy sector organizations.

Phase 2 — Zero-Day Trigger

Upon opening the PDF in Adobe Reader, the document automatically triggers execution of obfuscated JavaScript without any additional user interaction. The JavaScript exploits CVE-2026-34621 to abuse privileged Acrobat APIs that are normally restricted to trusted code — bypassing Adobe Reader’s security sandbox model.

The sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits. — Haifei Li, EXPMON

Phase 3 — Information Harvesting

With privileged API access established, the malicious JavaScript performs broad information collection including:

  • Local system fingerprinting and environment reconnaissance
  • Sensitive data collection from the filesystem
  • Advanced browser and application fingerprinting
  • Identification of security tools and sandbox detection

Phase 4 — C2 Exfiltration and Follow-On Payloads

Collected data is exfiltrated to the attacker’s C2 server at 169.40.2[.]68:45191. The C2 then responds with additional JavaScript payloads to be executed in the context of Adobe Reader. Researchers believe these follow-on payloads deliver:

  • Full Remote Code Execution (RCE) exploits
  • Sandbox escape (SBX) to break out of Adobe Reader’s Protected Mode
  • Persistence mechanisms and additional malware stages

The exact next-stage payload was not recovered by researchers as the C2 server did not respond to requests from analysis environments — suggesting the attackers perform environment checks before delivering the payload, a common anti-analysis technique.

Timeline: From Zero-Day to Patch

  • November 28, 2025 — First weaponized PDF sample (Invoice540.pdf) uploaded to VirusTotal. Exploitation likely begins.
  • March 23, 2026 — Second PDF sample uploaded to VirusTotal, confirming ongoing active exploitation.
  • Early April 2026 — EXPMON’s Haifei Li publicly discloses zero-day exploitation details.
  • April 10, 2026 — Security researchers confirm RCE capability; Adobe begins emergency patch development.
  • April 12, 2026 — Adobe releases emergency patch. CVSS score revised from 9.6 to 8.6 after attack vector update.
  • April 13, 2026 — CISA adds CVE-2026-34621 to KEV catalog. Federal patch deadline: April 27, 2026.

The gap between first exploitation (November 2025) and patch release (April 2026) represents approximately 135 days of zero-day exposure — a significant window during which targeted organizations had no vendor-supplied defense.

Affected Products and Versions

The following Adobe products are affected on both Windows and macOS:

  • Adobe Acrobat Reader DC (Continuous Track) — versions prior to the April 2026 emergency update
  • Adobe Acrobat DC (Continuous Track) — versions prior to the April 2026 emergency update
  • Adobe Acrobat Reader 2024 (Classic Track) — versions prior to the April 2026 emergency update
  • Adobe Acrobat 2024 (Classic Track) — versions prior to the April 2026 emergency update

Who is Being Targeted?

Based on the available evidence, the targeting profile includes:

  • Energy sector organizations — Russian-language oil and gas lures suggest targeted attacks against this sector
  • Russian-speaking targets — or organizations with Russian business exposure
  • Any Adobe Reader user — the vulnerability works on the latest version, meaning all unpatched users are at risk
  • Government and critical infrastructure — CISA KEV listing confirms federal concern

Indicators of Compromise (IOCs)

Malicious PDF Samples

  • Filename: Invoice540.pdf
  • VirusTotal hash (Sample 1): 54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f
  • VirusTotal hash (Sample 2): 65dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7
  • PDF files with invoice-themed names containing Russian-language content

Network IOCs

  • C2 server: 169.40.2[.]68:45191
  • Outbound connections from Adobe Reader processes to external IPs (highly suspicious)
  • JavaScript execution triggered automatically on PDF open

Behavioral IOCs

  • Adobe Reader spawning child processes or making network connections
  • Obfuscated JavaScript execution within PDF context
  • Privileged Acrobat API calls from untrusted document context
  • Data exfiltration from Adobe Reader process

Immediate Actions Required

  1. Update Adobe Reader immediately — Open Adobe Reader → Help → Check for Updates. Install the April 2026 emergency update
  2. Enable automatic updates — Edit → Preferences → Updater → Automatically install updates
  3. Block C2 at perimeter — Block outbound connections to 169.40.2[.]68 at your firewall
  4. Enable Protected Mode — Ensure Adobe Reader’s Protected Mode (sandbox) is enabled: Edit → Preferences → Security (Enhanced)
  5. Scan for IOC hashes — Search for the known malicious PDF hashes across your environment
  6. Disable JavaScript in PDF — As a temporary mitigation if patching is delayed: Edit → Preferences → JavaScript → uncheck Enable Acrobat JavaScript
  7. Train users on PDF phishing — Invoice-themed PDFs from unknown senders should be treated as high-risk
  8. Federal agencies — CISA mandatory patch deadline is April 27, 2026. Treat this as P1.

Why This is More Serious Than the CVSS Score Suggests

Adobe revised the CVSS score from 9.6 to 8.6 after updating the attack vector from Network (AV:N) to Local (AV:L), reflecting that the attacker needs local access or user interaction (opening a PDF) to exploit the flaw. However, this revision understates the real-world risk for several reasons:

  • PDF is a universal attack surface — email attachments, web downloads, and shared documents are trivial delivery mechanisms that effectively give attackers “local” access via social engineering
  • 135+ day zero-day window — attackers had months to compromise targets before any patch existed
  • Full RCE + sandbox escape potential — the follow-on payload capability extends impact far beyond information disclosure
  • CISA KEV listed — active exploitation confirmed against real targets, not just theoretical

References

Written by Tarang Parmar (CEH) — TheCyberSecurity.Network. Read time: 10 min. Last updated: April 13, 2026.