2026-04-13 | Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw

1. AI Summary

Adobe released an emergency update for Acrobat Reader to fix CVE‑2026‑34621, a zero‑day PDF exploit that bypasses the sandbox, reads arbitrary files and exfiltrates data; attacks used Russian‑language oil‑and‑gas lures and required only opening the malicious PDF.

2. IOCs

IOC Type	Value	Description	Relevant MITRE ATT&CK Techniques
Filename	yummy_adobe_exploit_uwu.pdf	Sample PDF used in the zero‑day exploit; triggers the CVE‑2026‑34621 vulnerability.	T1203\|T1566.001

3. MITRE ATT&CK

Code	Title
T1203	Exploitation for Client Execution – the PDF exploits a vulnerability in Adobe Reader to run code.
T1566.001	Phishing: Spearphishing Attachment - Phishing: Spearphishing Attachment – malicious PDF distributed to victims.
T1059.007	Command and Scripting Interpreter: JavaScript – abuse of privileged JavaScript APIs.
T1105	Ingress Tool Transfer - Ingress Tool Transfer – RSS.addFeed() used to fetch additional attacker‑controlled code.
T1039	Data from Local System – util.readFileIntoStream() reads arbitrary local files.
T1041	Exfiltration Over Command and Control Channel – data exfiltrated via RSS feed.

4. Targets

Type	Value
Sector	Oil and gas

5. Article Details

Article: Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw
Publishing date: 2026-04-13
Tags:
Vulnerability

6. Original text

Adobe has released an emergency security update for Acrobat Reader to fix a vulnerability, tracked as CVE-2026-34621, that has been exploited in zero-day attacks since at least December. The flaw allows malicious PDF files to bypass sandbox restrictions and invoke privileged JavaScript APIs, potentially leading to arbitrary code execution. The exploit observed in attacks enables reading and stealing arbitrary files. No user interaction is required beyond opening the malicious PDF. Specifically, the exploit abuses APIs like util.readFileIntoStream() to read arbitrary local files and RSS.addFeed() to exfiltrate data and fetch additional attacker-controlled code. The security issue was discovered by Haifei Li, founder of the EXPMON exploit detection system, after someone submitted for analysis a PDF sample named "

yummy_adobe_exploit_uwu.pdf

." Haifei Li says that someone submitted the sample to EXPMON on March 26, but it had been sent to VirusTotal three days before, where only five out of 64 security vendors flagged it as malicious at the time. The researcher decided to manually investigate the issue after the exploit detection system activated its "detection in depth" feature, an advanced detection capability Haifei Li specifically developed for Adobe Reader, he says in a blog post last week. Security researcher Gi7w0rm spotted attacks in the wild that leveraged Russian-language documents with

Oil and gas

industry lures. Following the receipt of Li’s report, Adobe published a security bulletin over the weekend, assigning the vulnerability the CVE-2026-34621 tracker. Although the flaw was initially rated critical (9.6) with a network attack vector, Adobe subsequently lowered the severity to 8.6 after changing the vector to local.

The vendor listed the following Windows and macOS products as impacted: Acrobat DC versions 26.001.21367 and earlier (fixed in version 26.001.21411) Acrobat Reader DC versions 26.001.21367 and earlier (fixed in version 26.001.21411) Acrobat 2024 versions 24.001.30356 and earlier (fixed in version 24.001.30362 on Windows, and version 24.001.30360 on Mac) Adobe recommends that users of the above software update their applications through ‘Help > Check for Updates,’ which triggers an automated update. Alternatively, users may download an Acrobat Reader installer from Adobe’s official software portal . No workarounds or mitigations were listed in the bulletin, so applying the security updates is the only recommended action. However, users should always be wary of PDF files sent from unsolicited sources and open them in sandboxed environments when suspicious.