Adobe PDF zero‑day still active
There’s an Adobe PDF zero‑day that’s been active since December and is still affecting users, so this isn’t a one‑off flash in the pan. Security chatter flagged continued exploitation and user impact tied to specially crafted PDFs, which means unpatched readers and gateway scanners remain exposed. If you run PDF parsers or allow attachments, treat apply‑patch/mitigation timelines as urgent. (x.com) (x.com)
A portable document format file is supposed to be a sealed envelope: text, images, and layout that look the same on every screen. Adobe Acrobat Reader opens those envelopes, and attackers have been hiding code inside them for months. (adobe.com) (sophos.com) A zero-day is a software flaw that defenders know is being abused before the vendor ships a fix. Security researchers said on April 7, 2026 that this Adobe Acrobat Reader flaw had already been exploited since at least December 2025. (sophos.com) (bleepingcomputer.com) The trick starts when a victim opens a specially crafted portable document format file. Sophos said the file runs obfuscated JavaScript, which is scrambled script code meant to hide what it is doing. (sophos.com) That hidden code then reaches into privileged Acrobat application programming interfaces, which are built-in functions that normally get special trust inside the reader. Researchers said attackers used functions such as `util.readFileIntoStream` and `RSS.addFeed` to pull data from the machine and prepare follow-on attacks. (bleepingcomputer.com) (sophos.com) The important detail is how little the victim has to do. Haifei Li said the exploit worked on the latest Adobe Reader and needed no action beyond opening the file. (bleepingcomputer.com) Researchers did not describe this as a random spam wave. Sophos said some lure documents used Russian-language themes tied to the oil and gas sector, which points to targeted phishing rather than a broad untargeted blast. (sophos.com) (bleepingcomputer.com) This is why mail gateways and security tools that inspect portable document format attachments are part of the story, not just end-user laptops. If a parser opens or analyzes the same malicious file format on an unprotected path, the document can become an entry point before a human even reads the attachment. (sophos.com) (cisa.gov) Adobe’s own enterprise release notes show regular Acrobat and Reader updates through April 2, 2026, but the public reporting around this campaign said defenders were still waiting for an official fix for the actively exploited flaw. That gap is what makes a zero-day dangerous: the attack is real first, and the patch arrives later. (adobe.com) (sophos.com) Until Adobe ships that fix, researchers have been blunt about the stopgaps. Sophos recommended automatic scanning of portable document format email attachments, blocking suspicious files, training users to distrust unsolicited attachments, and temporarily avoiding Adobe Reader for untrusted PDFs. (sophos.com) Haifei Li also pointed defenders to a network clue: HTTP or Hypertext Transfer Protocol traffic carrying the `Adobe Synchronizer` user-agent string. That is the kind of small detection detail security teams use when they need to catch an attack before the vendor can close the hole. (bleepingcomputer.com)
