Adobe Reader exploit warning

A Portable Document Format file is supposed to be a sealed envelope: text and images go in, and the person opening it just reads what is inside. Adobe Acrobat Reader breaks that simple model by supporting JavaScript, which is a scripting language that lets a document run little programs when the file opens. (csoonline.com) Adobe adds a sandbox to contain those little programs, like letting a visitor talk to you through glass instead of walking through your house. Adobe’s own security guide says Protected Mode and Protected View are the features meant to keep a PDF from touching the wider system unless the user trusts it. (adobe.com) The new problem is that researchers say attackers found a way around that barrier in Adobe Reader, and the trick has been working in real attacks since at least December 2025. Haifei Li, who runs the exploit-monitoring platform EXPMON, said he tested the malicious file against Reader version 26.00121367 and the exploit still worked. (sophos.com, csoonline.com) The attack does not need a macro button, a download prompt, or a second click. Li said opening the PDF is enough for obfuscated JavaScript, which is code deliberately scrambled to hide what it does, to start running inside Reader. (bleepingcomputer.com, sophos.com) That code first fingerprints the machine, which means it quietly checks details that tell the attacker what kind of target they have landed on. CSO reported that the sample reads the Adobe Reader version, the exact operating system version, language settings, and even the local path where the PDF was opened. (csoonline.com) BleepingComputer said the malicious document also abuses privileged Acrobat application programming interfaces, which are built-in functions that normal documents should not be able to use freely. The two functions named in public reporting were `util.readFileIntoStream`, which can read local files, and `RSS.addFeed`, which can be used in the exploit chain to reach beyond ordinary document behavior. (bleepingcomputer.com) Once that system profile is sent to a remote server, the PDF stops looking like a harmless attachment and starts acting like a scout. Li warned that the same foothold can be used for follow-on remote code execution, which means running attacker commands on the victim machine, or sandbox-escape attacks that break out of Reader’s containment. (csoonline.com, bleepingcomputer.com) The campaign does not look random. Sophos said another researcher tied the lure documents to Russian-language themes connected to the Russian oil and gas sector, which points to targeted phishing rather than bulk spam sent to everyone with an email address. (sophos.com) There was still no public patch or advisory from Adobe in the reporting published on April 9 and April 10, 2026. That leaves companies in the awkward position of treating ordinary PDF exchange like they would treat a suspicious executable file until Adobe ships a fix. (csoonline.com, forbes.com) The practical move right now is boring but effective: do not open unexpected PDFs in Adobe Reader, especially ones sent over email by a new contact, a spoofed manager, or a client thread that suddenly changes tone. Sophos said organizations should scan PDF attachments automatically, block suspicious files, train users to distrust unsolicited attachments, and temporarily avoid using Adobe Reader to open PDFs when possible. (sophos.com) If a team has to keep handling client briefs, contracts, or review packages today, the safest workflow is to separate receipt from opening. Adobe says Protected View is its most locked-down read-only mode for Windows, and Li’s advice was even simpler: until a patch exists, do not open untrusted PDF documents in Adobe Reader at all. (adobe.com, bleepingcomputer.com)