Adobe issues emergency security patch — Reader and Acrobat users need to update now

News
By published

An Adobe zero-day used since December 2025 is now patched

The best free PDF reader
(Image credit: Shutterstock)
  • Adobe patches Acrobat Reader zero‑day exploited since Dec 2025
  • CVE‑2026‑34621 enabled RCE via malicious PDFs
  • Users must update; no workarounds available, defenders urged to monitor traffic

Adobe has released a fix for a vulnerability in Acrobat Reader which was being exploited as a zero-day since December 2025.

The vulnerability is described as an Improperly Controlled Modification of Object Prototype Attributes bug, now tracked as CVE-2026-34621. It enabled remote code execution (RCE) in the context of the current user, and its exploitation requires the victim to open a malicious PDF file.

It was given a severity score of 8.6/10 (high), and affects Acrobat Reader multiple versions:

Article continues below

Acrobat DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)

Acrobat Reader DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)

Acrobat 2024 versions 24.001.30356 and earlier (fixed in version 24.001.30362 on Windows, and version 24.001.30360 on Mac)

Highly sophisticated attack

The company said there were no workarounds or mitigations, and that the only way to fix the issue is to update the app. This can be done either through the app itself (by navigating to Help - Check for Updates menu), or by downloading the Acrobat Reader installer from Adobe’s official website.

Security researcher Haifei Li recently found and warned about a “highly sophisticated, fingerprinting-style PDF exploit”.

"This 'fingerprinting' exploit has been confirmed to leverage a zero-day/unpatched vulnerability that works on the latest version of Adobe Reader without requiring any user interaction beyond opening a PDF file," Li said. "Even more concerning, this exploit allows the threat actor to not only collect/steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim's system."

A separate report from an analyst with the alias Gi7w0rm says that the PDF lure being used in these attacks references ongoing events in the Russian oil and gas industry, and that it was written in Russian, suggesting who the targets might be.

While Adobe claims no workarounds are available, BleepingComputer noted network defenders could mitigate attacks by monitoring and blocking HTTP/HTTPS traffic with the “Adobe Synchronizer” string in the User-Agent header.

"This zero-day/unpatched capability for broad information harvesting and the potential for subsequent RCE/SBX exploitation is enough for the security community to remain on high alert. This is why we have chosen to publish these findings immediately so users can stay vigilant," the researcher concluded.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.