A critical zero-day vulnerability CVE-2026-34621 in Adobe Acrobat Reader was being actively exploited since December 2025 and discovered by EXPMON. Adobe released an emergency patch in April 2026. Learn what happened, how it happened, and how you can stay safe.
Adobe Acrobat Reader the world’s most widely used PDF reader, had a dangerous vulnerability that went undetected for four months, and by the time it was discovered, attackers were already taking advantage of it.
On April 13, 2026, Adobe officially confirmed that this vulnerability, named CVE-2026-34621 was being actively exploited in the wild and released an emergency patch. But the story behind this patch isn’t just about a bug fix its about a sophisticated and well-planned attack campaign that had been going on since November 2025 and was targeting enterprise environments.
Where It Started The Role of EXPMON
Haifei Li is a security researcher and founder of the EXPMON platform. EXPMON is a sandbox-based exploit detection system that analyzes suspicious files using both automated and manual methods. On March 26, 2026 an unknown person submitted a PDF to EXPMON named yummy_adobe_exploit_uwu.pdf.
The name itself was a bit strange. This file triggered an advanced detection in depth feature of EXPMON indicating something unusual was going on. When Li manually inspected the file, he discovered a highly sophisticated fingerprinting-style exploit that exploited a previously unknown vulnerability in Adobe Reader.
But here another important thing came to light that this was not the first sample. When Li investigated further, he found another file on VirusTotal named Invoice540.pdf which was uploaded for the first time on 28 November 2025.
This meant that this vulnerability was being exploited silently since November 2025 or maybe even before that. Another variant appeared on VirusTotal on 23 March 2026. The presence of both these samples proves that this was not a one off incident but an organized ongoing attack campaign.
Malicious PDF Campaign Combined with Social Engineering
When security researcher Gi7w0rm analyzed these PDF files, he shared some interesting observations. These documents were lured in Russian language and the content was about current events related to Russia’s oil and gas industry.
This is a classic spear phishing technique where the attacker specifically targets an audience interested in the topic and gets them to open the file. Any employee working in the oil and gas sector who is sent a relevant-sounding document can easily open it without thinking about what is hidden inside.
It is very important to understand that simply opening a PDF file was enough to trigger the exploit. There was no need to click anything separately and no need to enable any macros. Simply open the file in Adobe Reader and the exploit would begin working.
Technical Breakdown What Is Prototype Pollution?
This vulnerability is classified under CWE-1321 which is called Prototype Pollution. It is primarily a weakness of JavaScript. Every object in JavaScript inherits from a shared prototype called Object.prototype. When you access a property that is not directly in an object, JavaScript traverses the prototype chain and finds the property from there. This is a fundamental JavaScript feature.
In Prototype Pollution the attacker abuses this mechanism. If the application does not properly validate the user-supplied input and the attacker can inject malicious properties into the Object.prototype. When any subsequent application code accesses a property that was not directly available it automatically inherits that malicious property from the prototype. This way the attacker can manipulate the internal logic of the application.
Adobe Acrobat Reader had this vulnerability in its JavaScript engine. When a specially crafted PDF was opened, embedded obfuscated JavaScript was executed that manipulated the Object.prototype. This first stage worked like a fingerprinting exploit meaning the attacker first collected information about the victim’s system.
According to Haifei Li the exploit used the util.readFileIntoStream() API call which is part of Adobe Readers privileged API and could read arbitrary files on the local system and even files accessible to the Readers sandbox process. This allowed the attacker to obtain sensitive information about the system and then decide what further action to take against the target.
And here comes the most dangerous part. Li clearly stated that this sample was an initial exploit after which Remote Code Execution and Sandbox Bypass exploits could be delivered. Meaning steal information in the first stage and then compromise the entire system in the second stage. According to Feedly’s research, this PDF could effectively become a full Remote Access Trojan deployment vector a simple document that could give the attacker control of the entire system.
CVE Details and CVSS Score Debate
CVE-2026-34621 was originally assigned a CVSS score of 9.6 Critical severity. However, on April 12, 2026, Adobe updated its advisory and lowered the score to 8.6. This was because the attack vector was changed from Network (AV:N) to Local (AV:L). It was previously assumed that the exploit could be triggered remotely directly through the network but it was later confirmed that victim interaction is required meaning the victim has to open the file themselves.
But EXPMON clearly stated its position on this change. They said that Adobe determined that this bug could lead to arbitrary code execution not just information leakage which matched their findings and those of other security researchers. The score change did not reduce the impact of the attack it was still a critical vulnerability in which a single click by the victim could compromise the entire system.
Affected Versions and Security Patch
Adobe released an emergency patch on April 11, 2026 under security bulletin APSB26-43 with a Priority-1 rating and the highest urgency level. Affected versions include Acrobat DC and Acrobat Reader DC version 26.001.21367 and all versions before that.
The fixed version is 26.001.21411. Acrobat 2024 version 24.001.30356 and earlier is affected. The fix is in 24.001.30362 on Windows and 24.001.30360 on macOS. This patch is available for both Windows and macOS platforms.
Why This Vulnerability Was So Dangerous
What made this vulnerability different from the ordinary one was the four months of silent exploitation. From November 2025 to April 2026, i.e. for the entire four months this attack was going on without any major detection. Traditional antivirus tools did not catch this file. According to EXPMON records when the sample was on VirusTotal only 13/64 antivirus engines detected it. Meaning most of the security tools were completely blind to it.
This scenario is especially concerning for enterprise environments. Adobe Acrobat Reader is used in millions of organizations worldwide including government agencies, banks, law firms oil and gas companies, and everywhere else. A single malicious PDF email attachment could reach any employee and with one click the attacker could gain access to information and then potentially the entire system. This is exactly the attack scenario that advanced persistent threat groups use in targeted espionage campaigns.
What You Should Do
If you use Adobe Acrobat Reader or Acrobat DC, it is important to update it immediately. In Adobe Reader go to the Help menu and click Check for Updates and install the latest version. This one action alone will protect against this specific vulnerability.
Apart from this, PDF attachments in organizations should be scanned through email security gateways and employees should verify before opening PDFs from unknown sources. If you receive any oil and gas related document in Russian language which you were not expecting, be sure to double check it.
Final Thoughts
CVE-2026-34621 isn’t just another vulnerability its a reminder that sophisticated attackers are at work every day, and traditional detection methods can fail to catch them. Advanced sandbox-based platforms like EXPMON have proven that a detection in depth approach works where basic antivirus software fails.
Adobe released a patch but the exact number of systems compromised and the amount of information leaked during the four months the exploit lasted is still unclear. Therefore the security updates aren’t just a technical task they are a fundamental part of your digital security.
