Adobe Patches Reader Zero-Day Exploited for Months

What happened

Adobe released emergency patches for a critical Acrobat and Reader zero-day that had been exploited in the wild for several months. The vulnerability, tracked as CVE-2026-34621, has a CVSS score of 9.6 and stems from improperly controlled modifications to prototype attributes. Adobe said the flaw can be exploited for arbitrary code execution. Affected products include Acrobat and Reader for Windows and macOS. The fixes are included in Acrobat DC and Acrobat Reader DC version 26.001.21411, as well as Acrobat 2024 versions 24.001.30362 and 24.001.30360. Adobe also confirmed active exploitation and credited Haifei Li with reporting the issue after he identified a sophisticated malicious PDF uploaded to his sandbox system. Researchers determined from an exploit sample that the attacks may have started as early as November 2025. 

Who is affected

The direct exposure affects organizations and users running vulnerable versions of Adobe Acrobat and Reader on Windows and macOS. The flaw can allow arbitrary code execution through malicious PDF files, creating immediate risk for endpoints where those applications are installed and unpatched. 

Why CISOs should care

This matters because the vulnerability was exploited for months before Adobe released a patch, giving attackers a long window to target users with malicious PDFs. It is also a high-severity code execution flaw in widely deployed document software, which makes patch timing and endpoint coverage especially important. 

3 practical actions

1. Patch affected systems immediately: Deploy Adobe’s emergency updates for Acrobat and Reader across Windows and macOS environments without delay. 
2. Hunt for malicious PDF activity: Review email, web, and endpoint telemetry for suspicious PDF files and related execution activity dating back to late 2025, since researchers believe exploitation began as early as November. 
3. Use the published detection material: Incorporate the available technical details and indicators of compromise into threat hunting and detection workflows to identify possible exploitation of CVE-2026-34621. 

For more news about security flaws under active exploitation, click Vulnerability to read more.