{"id":7768,"date":"2026-04-09T23:00:10","date_gmt":"2026-04-09T23:00:10","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7768"},"modified":"2026-04-09T23:00:10","modified_gmt":"2026-04-09T23:00:10","slug":"hackers-have-been-exploiting-an-unpatched-adobe-reader-vulnerability-for-months","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7768","title":{"rendered":"Hackers have been exploiting an unpatched Adobe Reader vulnerability for months"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Adobe Reader vulnerabilities have been exploited for decades by threat actors taking advantage of the universal use of the utility to fool employees into downloading infected PDF documents through phishing lures.<\/p>\n<p>Now a security researcher says a Reader hole has been quietly exploited by malware for as long as four months, fingerprinting computers to gather information that will allow attackers to steal data and perform further malicious activities.<\/p>\n<p><a href=\"https:\/\/justhaifei1.blogspot.com\/2026\/04\/expmon-detected-sophisticated-zero-day-adobe-reader.html\" target=\"_blank\" rel=\"noopener\">In a blog this week<\/a>, Haifei Li said that EXPMON, the publicly-available exploit monitor he runs that scans samples to detect file-based zero-day exploits, had found an initial exploit that abuses the vulnerability in a Reader API.<\/p>\n<p>JavaScript code in the malware that automatically executes when the infected PDF is opened reads files on the compromised computer, collecting information including language settings, the Adobe Reader version number, the exact OS version, and the local path of the PDF file. It then sends the data to a remote server.<\/p>\n<p>This information will be useful to a threat actor planning on launching future attacks, including the installation of remote access tools, Li noted.<\/p>\n<p>Li said in his April 7 report that he tested the malware on what was at the time the latest version of Adobe Reader (26.00121367), and it still worked.<\/p>\n<p>In an update the next day, Li added that a variant dating back to last November had been found by another researcher, which suggests the malware had been in use at least since then.<\/p>\n<p>Adobe was asked for comment on the report, but no reply was received by deadline.<\/p>\n<p>It\u2019s not the first time Adobe Reader has been targeted. Vulnerabilities relating to it <a href=\"https:\/\/www.csoonline.com\/article\/520542\/data-protection-security-weakness-in-acrobat-pdf-reader-could-permit-malicious-attack.html\" target=\"_blank\" rel=\"noopener\">date back at least to 2007<\/a>, when a hole was found in a browser plug-in. <a href=\"https:\/\/www.csoonline.com\/article\/541012\/data-protection-fake-adobe-update-is-circulating.html\" target=\"_blank\" rel=\"noopener\">Fake Reader updates<\/a> are another threat actor favorite. User-after-free memory vulnerabilities are also common; researchers at Zeropath <a href=\"https:\/\/zeropath.com\/blog\/cve-2025-54257-adobe-acrobat-reader-use-after-free\" target=\"_blank\" rel=\"noopener\">last year described one of them<\/a>, CVE-2025-54257.<\/p>\n<h2 class=\"wp-block-heading\">Traditional tactics<\/h2>\n<p>In addition to applying patches as soon as they are available, infosec leaders need to ensure employees receive regular security awareness training that includes warnings about opening unexpected PDFs, even those seemingly from trusted sources such as co-workers or managers.<\/p>\n<p>Threat actors traditionally use a variety of tactics to trick an employee into opening an email attachment, including using subject lines like \u201cUrgent,\u201d and \u201cInfo on bonus.\u201d The attachment itself may be given a name that conveys importance; in this case, the November variant carried the file name \u201cInvoice504.pdf.\u201d<\/p>\n<p>According to a report on this new malware <a href=\"https:\/\/www.virustotal.com\/gui\/file\/54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f\" target=\"_blank\" rel=\"noopener\">filed with malware scanning site VirusTotal<\/a>, to which anyone can upload suspicious files for scrutiny, the recipient is to open the attachment specifically with Adobe Acrobat Reader.\u00a0<\/p>\n<h2 class=\"wp-block-heading\">A high risk exploit<\/h2>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/kellman\/\" target=\"_blank\" rel=\"noopener\">Kellman Meghu<\/a>, chief technology officer at Canadian incident response firm DeepCove Security, called the exploit \u201ca very high risk.\u201d<\/p>\n<p>So far it looks as though this particular malware just exfiltrates data, he said. But it implies there is an ability or capability to turn it into a vehicle for remote code execution. \u201cIt is a zero click [vulnerability],\u201d Meghu added, \u201cmeaning just viewing in a browser or email is likely enough to trigger it.\u201d<\/p>\n<p>CSOs should meet this threat by disabling Acrobat JavaScript, either by default or until there is a patch, he said. \u201cBut to be honest,\u201d he added, \u201cI think JavaScript execution is generally a bad idea in Adobe Reader,\u201d so it should be disabled.<\/p>\n<p><a href=\"https:\/\/www.sans.org\/profiles\/dr-johannes-ullrich\" target=\"_blank\" rel=\"noopener\">Johannes Ullrich<\/a>, dean of research at the SANS Institute, noted Adobe Acrobat and Reader have often been the targets of sophisticated exploits. These frequently take advantage of features like JavaScript, or leverage the ability to include, or nest, various document types inside a PDF. Many malware filters will detect and flag these types of documents as malicious, he said.<\/p>\n<p>\u201cCSOs should ensure that web proxies and email gateways have filters enabled to not allow PDFs that are not fully standards compliant, and to eliminate PDFs taking advance of known problematic features like JavaScript,\u201d he said. \u201cAny attachment like this should also prominently note that it was received from a source outside the organization.\u201d<\/p>\n<p>\u201cSadly,\u201d he added, \u201cPDFs are still very common, and can not be completely eliminated.\u201d<\/p>\n<p><a href=\"https:\/\/arcticwolf.com\/resources\/author\/adam-marre\/\" target=\"_blank\" rel=\"noopener\">Adam Marr\u00e8<\/a>, CISO at Arctic Wolf, said that what makes this new vulnerability particularly concerning is that it\u2019s being actively exploited and appears to work even on fully patched systems. That immediately raises the risk profile. \u201cEven without full visibility into the entire attack chain, the fact that initial access can be gained through something as routine as opening a PDF means organizations should treat this as a real and present security event,\u201d he said. \u201cFrom there, the potential impact can range from limited data exposure to follow\u2011on activity if attackers are able to deliver additional payloads.\u201d<\/p>\n<p>This becomes a matter of managing risk in real time, he pointed out. \u201cWhen a trusted tool suddenly falls outside an organization\u2019s acceptable risk threshold, the priority shifts to reducing exposure and increasing visibility. That may mean reassessing where the software is truly necessary, tightening how untrusted content is handled, and ensuring monitoring is in place to quickly detect any abnormal behavior,\u201d he said.<\/p>\n<p>\u201cJust as important is what happens after containment,\u201d he added. \u201cIncidents like this are an opportunity to evaluate what controls held up, where gaps surfaced, and how to operationalize those lessons. Threats tied to everyday user behavior aren\u2019t going away, so resilience depends on learning quickly and adapting just as fast.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Adobe Reader vulnerabilities have been exploited for decades by threat actors taking advantage of the universal use of the utility to fool employees into downloading infected PDF documents through phishing lures. Now a security researcher says a Reader hole has been quietly exploited by malware for as long as four months, fingerprinting computers to gather [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7769,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7768","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7768"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7768"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7768\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7769"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7768"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7768"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7768"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}