A critical security flaw in Adobe Reader, identified as CVE-20SD-34621, was actively exploited for 136 days before a patch was released, according to a report by nefariousplan.com.
The vulnerability was first detected via a VirusTotal upload on November 28, 2025, involving a file named `Invoice540.pdf`. While 51 of 64 antivirus engines identified the file as a standard document, 13 engines flagged it as suspicious.
Haifei Li, founder of EXPMON, analyzed the sample and identified a mechanism that abused unpatched vulnerabilities in Adobe Reader. Li stated the sample "acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution and sandbox escape exploits."
Li confirmed the exploit could execute privileged Acrobat APIs and was functional on the latest version of Adobe Reader available in November 2025. The mechanism involved obfuscated JavaScript within the document's open handler, with exfiltration directed to the IP address `169.40.2[.]68:45191`.
On March 23, 2026, a second sample appeared on VirusTotal using the same mechanism. Researcher Gi7w0rm observed that these PDFs utilized Russian-language lures and referenced current events within Russia's oil and gas sector.
Adobe officially addressed the flaw on April 12, 2026, by issuing security advisory APSB26-26. The vulnerability was assigned CVE-2026-34621 and received a CVSS score of 9.6, categorized as critical.
