Cybercriminals have been actively exploiting a critical zero-day vulnerability in Adobe Reader, leveraging malicious PDF documents to steal sensitive data and potentially gain full control of victim systems. This sophisticated attack has been ongoing since at least December 2025, with no patch currently available from Adobe, leaving users exposed.

Key Takeaways

• A zero-day vulnerability in Adobe Reader is being actively exploited.

• Malicious PDFs are used as the initial attack vector, often employing social engineering.

• The exploit harvests sensitive data and can lead to remote code execution.

• Attacks have been ongoing since at least December 2025.

• No official patch has been released by Adobe yet.

Sophisticated PDF Exploit Uncovered

Security researchers have identified a highly sophisticated PDF exploit that targets an undisclosed vulnerability in Adobe Reader. This exploit, first observed in late 2025, abuses legitimate Acrobat APIs to harvest sensitive information and can potentially lead to further attacks, including remote code execution (RCE) and sandbox escape (SBX).

The attack begins with a malicious PDF file, often disguised as an invoice or other relevant document, designed to lure unsuspecting users into opening it. Once opened, the PDF automatically executes obfuscated JavaScript code without requiring further user interaction. This code is capable of collecting system details, Adobe Reader version, language settings, and file path information.

Targeted Attacks and Data Exfiltration

Analysis of the malicious PDFs revealed Russian-language lures referencing current events in the oil and gas industry, suggesting targeted campaigns aimed at specific regions or sectors. However, the underlying exploit can be adapted for broader use.

The collected data is exfiltrated to attacker-controlled servers. This information can be used for advanced fingerprinting of the victim system, allowing attackers to tailor subsequent stages of the attack. While the full extent of follow-on payloads remains unknown, the capability for broad information harvesting and potential RCE/SBX exploitation is a significant concern.

Ongoing Threat and Mitigation

As of the latest reports, Adobe has not yet released a patch for this vulnerability, leaving users vulnerable. Security experts are urging caution and recommending several preventative measures:

• Avoid opening PDF files from unknown or untrusted sources.

• Harden Adobe Reader settings by disabling JavaScript and enforcing protected modes.

• Implement strong email filtering and attachment sandboxing.

• Monitor endpoint and network activity for suspicious behavior, such as unusual API calls or outbound traffic.

• Restrict outbound network connections and apply DNS or domain filtering.

This ongoing campaign highlights the persistent threat of PDF-based exploits, which leverage trusted file formats to bypass traditional security controls. Users and organizations are advised to remain vigilant and apply layered security measures to mitigate the risk.

Sources

• Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025, The Hacker News.

• Adobe Acrobat Reader Zero Day Exploited in Active PDF Attacks, eSecurity Planet.

• Adobe Reader Flaw Exploited in Active PDF-Based Attacks, SQ Magazine.

• Hackers Exploit Adobe PDF Flaw for Months to Steal Data, No Fix Yet, TechRepublic.

• Hackers exploiting Acrobat Reader zero-day flaw since December, BleepingComputer.