Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security

Adobe issues emergency fix for Acrobat Reader flaw exploited in the wild (CVE-2026-34621)

Adobe has pushed out an emergency security update for Adobe Acrobat Reader, patching a zero-day vulnerability (CVE-2026-34621) exploited in the wild since November 2025.

About CVE-2026-34621

CVE-2026-34621 is a critical prototype pollution vulnerability – a type of vulnerability that occurs in JavaScript and allows attackers to add or modify an application’s JavaScript objects and properties.

CVE-2026-34621 can lead to arbitrary code execution in the context of the current user, but it cannot be triggered remotely.

“Exploitation of this issue requires user interaction in that a victim must open a malicious file,” the vulnerability’s NVD entry states.

Its in-the-wild exploitation was flagged by security researcher Haifei Li, after someone submitted a malicious PDF sample to EXPMON, a publicly available system for detecting advanced file-based exploits.

The analysis of that and another related malicious PDF file revealed that, once opened, they would “fingerprint” the underlying system and send the information to a command and control (C2) server operated by the attackers.

The exploit can also launch additional exploits received from the C2 server but Li was unable to trigger this step.

An analysis by malware researcher Giuseppe Massaro has shown that both malicious PDFs contained text in Russian related to gas supply disruption and emergency response.

Update ASAP!

Adobe has addressed CVE-2026-34621 across several product versions:

  • Acrobat DC and Acrobat Reader DC v26.001.21411 (for Windows and macOS), and
  • Acrobat 2024 versions 24.001.30362 (for Windows) and 24.001.30360 (for macOS).

The company recommends admins to install the update as soon as possible.

If immediate patching is not feasible, Li and Massaro say that users should be instructed not to open PDF files sent by untrusted parties, and security teams should monitor endpoints for specific changes and block all http/https traffic that has the “Adobe Synchronizer” string in the User Agent field.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

More about

Featured news

Resources

Don't miss