Adobe has released a patch for a critical zero-day vulnerability in its Acrobat and Reader software that hackers have actively exploited for at least four months.
The vulnerability, identified as CVE-2026-34621, allows attackers to remotely install malware on Windows and macOS computers. The attack is triggered when a user opens a specially crafted PDF file.
Adobe confirmed the flaw is being exploited in the wild. The company's security advisory covers Acrobat DC, Reader DC, and Acrobat 2024.
Long-term exploitation detected
Security researcher Haifei Li, founder of the exploit-detection system EXPMON, discovered the flaw after a malicious PDF was submitted to his malware scanner. Li's analysis suggests the campaign has been active since late 2025.
In a recent blog post, Li noted that a version of the malware-laden PDF first appeared on the VirusTotal malware scanner in late November 2025. This timeline indicates that the vulnerability remained unpatched and exploitable for several months.
While the total number of compromised users is unknown, the ubiquity of Adobe's software makes it a primary target for cybercriminals. Attackers frequently leverage weaknesses in PDF readers to steal sensitive data and gain unauthorized access to systems.
Li stated that it was not possible to retrieve further exploits from the attackers' servers. He also noted that the specific targets and motives behind the campaign remain unidentified.
