Adobe has addressed a significant security flaw in its Acrobat and Reader software that has been actively exploited for several months. This vulnerability, identified as CVE-2026-34621, received a CVSS score of 9.6, indicating its critical nature. The issue arises from improperly controlled modifications to prototype attributes, which can be exploited to execute arbitrary code. The affected software versions include Acrobat and Reader for both Windows and macOS, and the patches have been released in version 26.001.21411 of Acrobat DC and Acrobat Reader DC, along with versions 24.001.30362 and 24.001.30360 of Acrobat 2024.

Notably, this vulnerability was discovered by Haifei Li, a seasoned researcher and founder of Expmon, a system designed for detecting file-based exploits. Li discovered the zero-day vulnerability while examining a complex PDF exploit uploaded to Expmon. The exploit initially aimed to gather information, but Li cautioned that subsequent stages could involve remote code execution and a sandbox escape. Adobe has confirmed that the vulnerability can lead to code execution, making it a severe threat.

The exploitation of CVE-2026-34621 was traced back to as early as November 2025 based on analysis of samples uploaded to VirusTotal. Researchers suggest that an advanced persistent threat group may be behind the attacks, using Russian-language lures related to the country's oil and gas sector. Although details about the attackers are still emerging, the cybersecurity community is actively analyzing the exploits.

Adobe has since revised the CVSS score for the vulnerability to 8.6, changing its severity from critical to high due to the necessity of opening a file locally to trigger the exploit. Despite this, users are urged to apply the patch immediately to safeguard against potential attacks.