Adobe has promptly rolled out emergency patches to address a critical zero-day vulnerability in its Acrobat and Reader software, which has been actively exploited for several months. This vulnerability, identified as CVE-2026-34621, initially received a CVSS score of 9.6, highlighting its potential severity. However, the score was later adjusted to 8.6 due to the requirement for users to open a malicious file locally to trigger the exploit. The flaw arises from improperly managed modifications to prototype attributes, which could allow attackers to execute arbitrary code on affected systems.

The vulnerability impacts both Windows and macOS versions of Acrobat and Reader. Adobe has included the necessary patches in version 26.001.21411 of Acrobat DC and Acrobat Reader DC, as well as in versions 24.001.30362 and 24.001.30360 of Acrobat 2024. The company has acknowledged that the zero-day has been exploited in the wild, with exploitation dating back to at least November 2025, according to analysis of samples uploaded to VirusTotal.

The discovery of this vulnerability is credited to Haifei Li, a seasoned researcher and the founder of Expmon, who identified it while examining a sophisticated PDF exploit. The exploit initially focused on information harvesting, but Li warned that it could evolve to include remote code execution and sandbox escape. Indicators of compromise have been released to help organizations detect and mitigate potential exploitation of this vulnerability.

In the wake of this discovery, it is suspected that an advanced persistent threat (APT) group may be behind these attacks. The malicious PDFs reportedly used Russian-language lures related to current events in Russia's oil and gas sector. Although the CVSS score has been lowered, the urgency to apply the patch remains high to avoid potential exploitation.