Adobe zero-day exploited since December

Adobe has patched a critical Acrobat and Reader flaw, CVE-2026-34621, after confirming it was being exploited in the wild through malicious PDF files. (helpx.adobe.com) A zero-day is a software bug attackers use before a vendor has shipped a fix. In this case, opening a booby-trapped PDF in Adobe Reader could trigger malicious JavaScript and expose data or lead to code execution. (sophos.com) (helpx.adobe.com) Adobe published bulletin APSB26-43 on April 11, 2026 and said the bug affects Acrobat DC and Reader DC version 26.001.21367 and earlier, plus Acrobat 2024 version 24.001.30356 and earlier on Windows and macOS. (helpx.adobe.com) The fixed builds are 26.001.21411 for Acrobat DC and Reader DC, 24.001.30362 for Acrobat 2024 on Windows, and 24.001.30360 for Acrobat 2024 on macOS. Adobe rated the update Priority 1 and said successful exploitation could lead to arbitrary code execution. (helpx.adobe.com) Researchers said the campaign had been active since at least December 2025. Sophos said the malicious PDFs used obfuscated JavaScript to call privileged Acrobat application programming interfaces, steal user and system data, and set up follow-on attacks. (sophos.com) Sophos also said the lure documents were tied to Russian-language themes linked to the oil and gas sector, a sign the activity was targeted rather than broad spam. Adobe credited Haifei Li of EXPMON with reporting the flaw. (sophos.com) (helpx.adobe.com) The bug itself is a prototype-pollution issue, a class of flaw where attacker-controlled data changes how a program handles objects in memory. Adobe lists it as an improper modification of object prototype attributes and gives it a CVSS severity score of 8.6. (helpx.adobe.com) A separate April 15 report from Cisco Talos showed attackers abusing n8n, a workflow-automation platform, as delivery infrastructure. Talos said phishing emails containing n8n webhook URLs in March 2026 were about 686% higher than in January 2025. (talosintelligence.com) Talos said attackers used n8n-hosted links in fake OneDrive sharing emails, then served CAPTCHA pages that led victims to malicious executable or Microsoft Installer files. Some payloads installed modified Datto or ITarian remote-management tools and created scheduled tasks for persistence. (talosintelligence.com) Together, the two reports show the same pressure point from different sides: one attack starts with a trusted document format, the other with a trusted cloud domain. In both cases, the first click looks routine. (helpx.adobe.com) (talosintelligence.com)