⚠️ CISA KEV Alert: CVE-2026-34621 added to Known Exploited Vulnerabilities catalog on April 13, 2026. FCEB agencies must patch by April 27, 2026.<\/p>\n\n\n\n
Adobe has released emergency security updates for a critical zero-day vulnerability in Adobe Acrobat Reader<\/strong> that has been actively exploited in the wild since at least December 2025<\/strong>. Tracked as CVE-2026-34621<\/strong>, the flaw affects both Windows and macOS versions of Acrobat Reader and Acrobat and allows attackers to execute arbitrary code on victim systems by simply convincing a user to open a malicious PDF file.<\/p>\n\n\n\n The vulnerability was first detected by EXPMON founder Haifei Li<\/strong>, who identified sophisticated zero-day exploitation in the wild using a weaponized PDF lure named Prototype pollution<\/strong> is a JavaScript vulnerability class that allows attackers to manipulate an application’s core object prototypes \u2014 the blueprints from which all JavaScript objects are created. When exploited in Adobe Reader’s PDF JavaScript engine, this allows the attacker to inject malicious properties into base objects, ultimately redirecting code execution to attacker-controlled functionality.<\/p>\n\n\n\n The attack is delivered entirely through a specially crafted PDF document. Here is the full exploitation chain observed in the wild:<\/p>\n\n\n\n The weaponized PDF files use invoice-themed lures ( Upon opening the PDF in Adobe Reader, the document automatically triggers execution of obfuscated JavaScript<\/strong> without any additional user interaction. The JavaScript exploits CVE-2026-34621 to abuse privileged Acrobat APIs<\/strong> that are normally restricted to trusted code \u2014 bypassing Adobe Reader’s security sandbox model.<\/p>\n\n\n\n The sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits. \u2014 Haifei Li, EXPMON<\/p><\/blockquote>\n\n\n\n With privileged API access established, the malicious JavaScript performs broad information collection including:<\/p>\n\n\n\n Collected data is exfiltrated to the attacker’s C2 server at 169.40.2[.]68:45191<\/strong>. The C2 then responds with additional JavaScript payloads to be executed in the context of Adobe Reader. Researchers believe these follow-on payloads deliver:<\/p>\n\n\n\n The exact next-stage payload was not recovered by researchers as the C2 server did not respond to requests from analysis environments \u2014 suggesting the attackers perform environment checks before delivering the payload, a common anti-analysis technique.<\/p>\n\n\n\n The gap between first exploitation (November 2025) and patch release (April 2026) represents approximately 135 days of zero-day exposure<\/strong> \u2014 a significant window during which targeted organizations had no vendor-supplied defense.<\/p>\n\n\n\n The following Adobe products are affected on both Windows and macOS<\/strong>:<\/p>\n\n\n\n Based on the available evidence, the targeting profile includes:<\/p>\n\n\n\n Adobe revised the CVSS score from 9.6 to 8.6 after updating the attack vector from Network (AV:N) to Local (AV:L), reflecting that the attacker needs local access or user interaction (opening a PDF) to exploit the flaw. However, this revision understates the real-world risk<\/em> for several reasons:<\/p>\n\n\n\n Written by Tarang Parmar (CEH) \u2014 TheCyberSecurity.Network. Read time: 10 min. Last updated: April 13, 2026.<\/em><\/p>\n\n\n","protected":false},"excerpt":{"rendered":" Adobe’s emergency patch for CVE-2026-34621 arrived 135 days after threat actors began exploiting this critical zero-day in Adobe Reader. The attack uses a prototype pollution flaw to execute privileged JavaScript from a malicious PDF \u2014 no click required beyond opening the document. CISA has added it to KEV with an April 27 federal deadline. Here is the full technical breakdown.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[42],"tags":[37,39,12,40,35],"class_list":["post-114","post","type-post","status-publish","format-standard","hentry","category-vulnerability","tag-critical","tag-cybersecurity","tag-rce","tag-threatintel","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts\/114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/comments?post=114"}],"version-history":[{"count":0,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts\/114\/revisions"}],"wp:attachment":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/media?parent=114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/categories?post=114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/tags?post=114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Invoice540.pdf<\/code>. The sample first appeared on VirusTotal on November 28, 2025<\/strong> \u2014 over four months before Adobe released a patch \u2014 meaning attackers had a significant head start.<\/p>\n\n\n\nVulnerability Details: CVE-2026-34621<\/h2>\n\n\n\n
How the Attack Works: Zero-Day Exploitation Chain<\/h2>\n\n\n\n
Phase 1 \u2014 Social Engineering Delivery<\/h3>\n\n\n\n
Invoice540.pdf<\/code>) to trick targets into opening them. Security researcher Gi7w0rm identified that observed samples contain Russian-language lures<\/strong> referencing issues in the Russian oil and gas industry<\/strong> \u2014 suggesting targeted spear-phishing against energy sector organizations.<\/p>\n\n\n\nPhase 2 \u2014 Zero-Day Trigger<\/h3>\n\n\n\n
Phase 3 \u2014 Information Harvesting<\/h3>\n\n\n\n
Phase 4 \u2014 C2 Exfiltration and Follow-On Payloads<\/h3>\n\n\n\n
Timeline: From Zero-Day to Patch<\/h2>\n\n\n\n
Invoice540.pdf<\/code>) uploaded to VirusTotal. Exploitation likely begins.<\/li>Affected Products and Versions<\/h2>\n\n\n\n
Who is Being Targeted?<\/h2>\n\n\n\n
Indicators of Compromise (IOCs)<\/h2>\n\n\n\n
Malicious PDF Samples<\/h3>\n\n\n\n
Invoice540.pdf<\/code><\/li>54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f<\/code><\/li>65dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7<\/code><\/li>Network IOCs<\/h3>\n\n\n\n
Behavioral IOCs<\/h3>\n\n\n\n
Immediate Actions Required<\/h2>\n\n\n\n
Why This is More Serious Than the CVSS Score Suggests<\/h2>\n\n\n\n
References<\/h2>\n\n\n\n