INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Adobe Patches Actively Exploited Zero-Day Flaw
| 2026-04-13 20:52 CRITICAL HIGHExecutive Summary AI-generated
The newly discovered AI-led remediation crisis has exposed a previously unknown vulnerability in Adobe's Acrobat and Reader software, with the high-severity flaw having been exploited for months. The CVE-2026-34621 exploit requires user interaction to trigger the attack, which can lead to remote code execution and sandbox escape exploits. Sophisticated payloads have been dropped on this flaw independently by an independent security researcher, Haifei Li, who uncovered the vulnerability when analyzing a maliciously crafted PDF uploaded to a public threat-sharing platform in March 2026. The initial investigation showed the malware had remained largely unnoticed until November 28, 2025, suggesting ongoing attacks targeting the flaw since then.
Technical Mitigations AI-generated
• The vulnerability allows attackers to execute arbitrary code, potentially leading to remote code execution (RCE) and sandbox escape (SBX) exploits.
• Attackers can trigger the flaw by opening a malicious PDF file with no additional clicks or permissions required.
• Once triggered, the booby-trapped PDF file silently fingerprints victims' systems before deciding whether they are worth attacking further.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-34621CVE-2026-34621
Target & Sectors
RU
Incident Timeline
Nov. 28, 2025
Threat actors exploited an Actively Exploited Zero-Day vulnerability in Adobe Patches that persisted for months.
March 23
Threat actors used a zero-day vulnerability in Adobe's software to target the platform on March 23.
Click on any entity below to view its context and source!
organisation
VirusTotal
His initial investigation showed the malicious PDF had actually been sitting largely unnoticed on the public threat-sharing platform
VirusTotal
since March 23, with just five out of 64 security tools flagging it as suspicious.
general_metric
64 security tools
His initial investigation showed the malicious PDF had actually been sitting largely unnoticed on the public threat-sharing platform
VirusTotal
since March 23, with just five out of 64 security tools flagging it as suspicious.
March 26
Haifei Li discovered the vulnerability by analyzing a maliciously crafted PDF on March 26.
Click on any entity below to view its context and source!
organisation
PDF
Sophisticated Payload Dropped on Adobe Flaw
Independent security researcher Haifei Li, founder and developer of EXPMON exploit detection system,
uncovered the vulnerability
when analyzing a maliciously crafted PDF that someone anonymously uploaded to the platform on March 26.
organisation
VirusTotal
"
Haifei Li says that someone submitted the sample to EXPMON on March 26, but it had been sent to VirusTotal three days before, where only five out of 64 security vendors
flagged it as malicious
at the time.
general_metric
64 security tools
"
Haifei Li says that someone submitted the sample to EXPMON on March 26, but it had been sent to VirusTotal three days before, where only five out of 64 security vendors
flagged it as malicious
at the time.
2026/04/06
Threat actors exploited an Actively Exploited Zero-Day vulnerability in Adobe Patches that lingered for months.
April 11
Adobe acknowledged the issue on April 11 in an advisory.
2026/04/13
Threat actors exploited a zero-day vulnerability in Adobe Acrobat Reader, using PDFs as an attack delivery mechanism.
Click on any entity below to view its context and source!
organisation
AI-Led Remediation Crisis Prompts HackerOne
Related:
AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties
Stealthy Reconnaissance
The
heavily obfuscated malware
hidden inside the PDF executes immediately when a victim opens the file, according to Li.
organisation
Pause Bug Bounties
Related:
AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties
Stealthy Reconnaissance
The
heavily obfuscated malware
hidden inside the PDF executes immediately when a victim opens the file, according to Li.
infrastructure
Windows
Adobe patched an arbitrary code execution vulnerability in the latest versions of its Acrobat and Reader for Windows and macOS, nearly four months after an attacker first appeared to have begun exploiting it.
The vendor listed the following Windows and macOS products as impacted:
Acrobat DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Acrobat Reader DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Acrobat 2024 versions 24.001.30356 and earlier (fixed in version 24.001.30362 on Windows, and version 24.001.30360 on Mac)
infrastructure
Macos
Adobe patched an arbitrary code execution vulnerability in the latest versions of its Acrobat and Reader for Windows and macOS, nearly four months after an attacker first appeared to have begun exploiting it.
The vendor listed the following Windows and macOS products as impacted:
Acrobat DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Acrobat Reader DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
organisation
Reader for Windows
Adobe patched an arbitrary code execution vulnerability in the latest versions of its Acrobat and Reader for Windows and macOS, nearly four months after an attacker first appeared to have begun exploiting it.
infrastructure
26.001.21367
The vendor listed the following Windows and macOS products as impacted:
Acrobat DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Acrobat Reader DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
infrastructure
26.001.21411
The vendor listed the following Windows and macOS products as impacted:
Acrobat DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Acrobat Reader DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
infrastructure
24.001.30356
Acrobat 2024 versions 24.001.30356 and earlier (fixed in version 24.001.30362 on Windows, and version 24.001.30360 on Mac)
infrastructure
24.001.30362
Acrobat 2024 versions 24.001.30356 and earlier (fixed in version 24.001.30362 on Windows, and version 24.001.30360 on Mac)
infrastructure
24.001.30360
Acrobat 2024 versions 24.001.30356 and earlier (fixed in version 24.001.30362 on Windows, and version 24.001.30360 on Mac)
organisation
CVSS
The high-severity vulnerability, assigned as CVE-2026-34621, has a
CVSS
score of 8.6 and stems from a combination of improper input validation and unsafe handling of object attributes.
organisation
CVE-2026
Li found that an attacker could trigger CVE-2026-34621 simply by getting a user to open the PDF with no additional clicks or permissions required.
organisation
NIST
"Exploitation of this issue requires user interaction in that a victim must open a malicious file," according to
CVE-2026-34621
's description on the NIST's National Vulnerability Database (NVD).
organisation
National Vulnerability Database
"Exploitation of this issue requires user interaction in that a victim must open a malicious file," according to
CVE-2026-34621
's description on the NIST's National Vulnerability Database (NVD).
organisation
NVD
"Exploitation of this issue requires user interaction in that a victim must open a malicious file," according to
CVE-2026-34621
's description on the NIST's National Vulnerability Database (NVD).
organisation
Adobe
Adobe has released an emergency security update for Acrobat Reader to fix a vulnerability, tracked as CVE-2026-34621, that has been exploited in zero-day attacks since at least December.
The flaw was initially assigned a CVSS score of 9.6 but Adobe later revised it.
organisation
Adobe Patches Actively
Adobe Patches Actively Exploited Zero-Day That Lingered for Months.
organisation
PDF
The flaw allows malicious PDF files to bypass sandbox restrictions and invoke privileged JavaScript APIs, potentially leading to arbitrary code execution.
organisation
EXPMON
The security issue was discovered by Haifei Li, founder of the EXPMON exploit detection system, after someone submitted for analysis a
PDF sample
named "
yummy_adobe_exploit_uwu.pdf
.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
Adobe patched an arbitrary code execution vulnerability in the latest versions of its Acrobat and Reader for Windows and macOS, nearly four months after an attacker first appeared to have begun exploiting it.
The vendor listed the following Windows and macOS products as impacted:
Acrobat DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Acrobat Reader DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Acrobat 2024 versions 24.001.30356 and earlier (fixed in version 24.001.30362 on Windows, and version 24.001.30360 on Mac)
Metrics
infrastructure
Macos
Affected Product
Adobe patched an arbitrary code execution vulnerability in the latest versions of its Acrobat and Reader for Windows and macOS, nearly four months after an attacker first appeared to have begun exploiting it.
The vendor listed the following Windows and macOS products as impacted:
Acrobat DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Acrobat Reader DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Metrics
infrastructure
26.001.21367
Software Version
The vendor listed the following Windows and macOS products as impacted:
Acrobat DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Acrobat Reader DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Metrics
infrastructure
26.001.21411
Software Version
The vendor listed the following Windows and macOS products as impacted:
Acrobat DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Acrobat Reader DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
Metrics
infrastructure
24.001.30356
Software Version
Acrobat 2024 versions 24.001.30356 and earlier (fixed in version 24.001.30362 on Windows, and version 24.001.30360 on Mac)
Metrics
infrastructure
24.001.30362
Software Version
Acrobat 2024 versions 24.001.30356 and earlier (fixed in version 24.001.30362 on Windows, and version 24.001.30360 on Mac)
Metrics
infrastructure
24.001.30360
Software Version
Acrobat 2024 versions 24.001.30356 and earlier (fixed in version 24.001.30362 on Windows, and version 24.001.30360 on Mac)
Intelligence Sources
Dark Reading
2026-04-13
BleepingComputer
2026-04-13
Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T06:25
Comprehensive Tactical Telemetry
Highly Correlated Entities
13x
organisation
Identified Entity
AI-Led Remediation Crisis Prompts HackerOne
entity
7x
timeline
Temporal Reference
March 26
date
5x
infrastructure
Software Version
26.001.21367
version
4x
tactic
Cyber Operation Type
Reconnaissance
tactic
2x
infrastructure
Affected Product
Windows
software
2x
vulnerability
CVSS Score
9
score
Contextual Telemetry
Context Block
6 METRICS
vulnerability
Exploited CVE
CVE-2026-34621
cve
general metric
Cve-2026
34,621
cve-2026
general metric
Security Tools
64
security tools
target region
Target Country
Russian Federation
country
tactic
MITRE ATT&CK Technique
T1059.007 - JavaScript
technique
general metric
Flaw
10
flaw
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.