Adobe has released a fix for an Acrobat and Reader zero-day that attackers had been exploiting for months.
The patch, shipped on April 11, addresses CVE-2026-34621, a critical vulnerability in Acrobat and Reader on Windows and macOS that can lead to arbitrary code execution. That's the polite way of saying a booby-trapped PDF could hand over the keys to the machine just by being opened.
In its advisory, Adobe says it is "aware of CVE-2026-34621 being exploited in the wild," which is doing a fair bit of reputational cleanup in a single sentence. Until now, there had been no public acknowledgment from the company that the bug even existed, let alone that attackers were actively using it.
The patch arrived a couple of days after external reporting put the campaign in the spotlight.
Malicious documents used heavily obfuscated JavaScript running through legitimate Acrobat APIs to gather system information from the host. Based on what it found, the malware could then decide whether to escalate, pulling down a second-stage payload capable of remote code execution or breaking out of Reader's sandbox.
Some targets were left with nothing more than a fingerprinting pass, while others were lined up for deeper compromise. That kind of triage suggests a campaign with specific interests rather than opportunistic spam, which lines up with the lures researchers observed. Some of the documents were written in Russian and referenced oil and gas sector themes, hinting at a more targeted victim pool without quite pointing a finger at who might be behind it.
According to researchers, evidence suggests the malicious activity stretches back to at least late 2025, giving attackers a comfortable runway of several months. During that time, the exploit blended into normal Reader behavior, sidestepping traditional defenses that are tuned to spot known signatures or obvious misbehavior.
The patch closes the hole, but it does not rewind the clock. Anyone who opened a malicious PDF during that window may already have been profiled or worse, depending on how interesting they looked to the attacker. Adobe has not said how many users might have been affected, how the flaw was discovered internally, or why acknowledgment lagged behind public reporting. The company still hasn't responded to The Register's questions.
Adobe may have closed the door, but not before plenty had already walked through it. ®