Adobe has released emergency patches to address a critical vulnerability in Acrobat and Reader software that has been actively exploited for several months. Known as CVE-2026-34621, this zero-day vulnerability has been assigned a CVSS score of 9.6 and involves improperly controlled modifications to prototype attributes, allowing for the execution of arbitrary code. Affected versions include Acrobat DC and Acrobat Reader DC for both Windows and macOS, specifically updated in versions 26.001.21411, 24.001.30362, and 24.001.30360 of Acrobat 2024. This vulnerability was identified by Haifei Li, a well-respected researcher and founder of Expmon, who discovered the flaw while analyzing a sophisticated PDF exploit designed for information harvesting. Initial findings warned that the exploit could lead to more severe consequences such as remote code execution and sandbox escapes. Further investigation suggests that the exploitation began as early as November 2025, potentially orchestrated by an advanced persistent threat group using Russian-themed lures. Adobe has since downgraded the CVSS score to 8.6 due to the necessity of opening a file locally to trigger the exploit; however, the urgency to patch remains high to prevent potential attacks. Security professionals are encouraged to apply these patches immediately. Li and other researchers have made technical details and indicators of compromise available to assist defenders in identifying potential exploitations.
Adobe Releases Urgent Patch for Exploited Reader Vulnerability
Adobe patched a Reader zero-day (CV E-2026-34621) after it was exploited in the wild for months; keep systems updated.


