Adobe Reader zero‑day exploited

A portable document format file is supposed to be a sealed envelope: text, images, and layout that look the same on every screen. Adobe’s own documentation says those files can also carry JavaScript code and hidden objects, which is why a booby-trapped document can act more like a program than a page. (adobe.com) JavaScript is the little instruction language that makes websites react when you click a button. In a PDF reader, that same language can automate form fields, calculations, and other features, which also gives attackers a place to hide code inside a document. (adobe.com) The new problem is that researchers say attackers found a way to make Adobe Reader run privileged application programming interfaces, which are the built-in commands normally reserved for trusted actions inside the app. Sophos said the malicious PDFs use obfuscated JavaScript and trigger the attack as soon as the file is opened. (sophos.com) A zero-day is a flaw the vendor has not patched yet, so defenders start at day zero with no official fix. Public reporting on April 9 and April 10 said this Adobe Reader bug has been exploited in the wild since at least December 2025. (sophos.com) (forbes.com) What makes this one nasty is the amount of effort it saves the attacker. Haifei Li of EXPMON said the exploit works on the latest version of Adobe Reader and needs no extra interaction beyond opening the PDF. (forbes.com) (thehackernews.com) The first job of the malicious file appears to be reconnaissance, which is the digital version of a burglar checking which doors are unlocked before coming back at night. Researchers said the PDFs can harvest local user and system data, send it to a remote server, and then wait for more code. (thehackernews.com) (sophos.com) That matters because data theft is not necessarily the end of the attack. Sophos and other security reporting said the same channel could be used for follow-on remote code execution, which means making the victim’s computer run attacker commands, or sandbox escape attempts, which means breaking out of the app’s safety cage. (sophos.com) (techrepublic.com) The campaign does not look random. Sophos said another researcher saw Russian-language lures tied to current events in Russia’s oil and gas sector, which points to targeted emails aimed at specific organizations rather than a spray-and-pray spam blast. (sophos.com) There is an official reason security teams treat “exploited in the wild” as a separate alarm bell. The United States Cybersecurity and Infrastructure Security Agency keeps a Known Exploited Vulnerabilities catalog specifically because bugs that are already being used by attackers move to the front of the patch line. (cisa.gov) As of the public reporting on April 9 through April 11, researchers were telling organizations to wait for an official Adobe patch and reduce exposure in the meantime by scanning PDF attachments, blocking suspicious files, warning users about unsolicited documents, and temporarily avoiding Adobe Reader for untrusted PDFs. (sophos.com) (forbes.com)