Adobe Reader zero‑day active

A Portable Document Format file is supposed to be a sealed envelope: text, images, and layout packed so the page looks the same on every computer. Adobe Acrobat Reader is the program millions of people use to open that envelope, which is why a bug there is such a useful doorway for attackers. (sophos.com) A zero-day is a software flaw that attackers are already using before the vendor ships a fix. In this case, researchers say the Adobe Acrobat and Reader flaw has been exploited since at least December 2025, so defenders are dealing with a live break-in and no patch at the same time. (securityweek.com) The trick sits inside JavaScript, which is the small scripting language that lets a Portable Document Format file do more than just display a page. Sophos says the malicious documents use obfuscated JavaScript, meaning the code is deliberately scrambled to hide what it is doing from scanners and analysts. (sophos.com) That hidden code can reach privileged Acrobat application programming interfaces, which are the built-in functions Adobe normally reserves for trusted actions. Researchers say the exploit abuses those functions to pull sensitive user and system data and to set up possible follow-on attacks, including remote code execution. (sophos.com) (thehackernews.com) The alarming part is how little the victim has to do. Haifei Li, the researcher who disclosed the activity on April 7, 2026, said the malicious Portable Document Format file runs when it is opened in fully updated Reader, with no extra clicks needed inside the document. (securityweek.com) (theregister.com) The campaign does not look like random spam. Sophos says some lure documents were written in Russian and tied to the oil and gas sector, which points to targeted surveillance rather than a broad fake-invoice blast sent to everyone. (sophos.com) That targeting pattern fits how zero-days often get used in the real world. Google’s Threat Analysis Group has reported for years that in-the-wild zero-days are especially valuable because they work before defenders have signatures, patches, or reliable detections in place. (blog.google) There is still no public Adobe patch attached to the reporting that surfaced on April 9 and April 10, 2026, which is why security teams are treating any unexpected Portable Document Format attachment as suspect. Several outlets reporting on the case said organizations are falling back to blunt defenses like blocking external Portable Document Format files, disabling JavaScript in Reader where possible, and opening documents only in isolated sandboxes. (forbes.com) (techrepublic.com) (bleepingcomputer.com) So the story is not just “a bad file exists.” It is that one of the most common document readers on Windows and Mac is being used as an entry point, through ordinary-looking Portable Document Format files, in a campaign that appears to have been running quietly for about four months before the wider security world caught it. (forbes.com) (securityweek.com)