A dangerous zero-day vulnerability in Adobe Reader has been actively exploited in the wild since at least December 2025 — for over four months — with no official patch yet available. The flaw was uncovered by security researcher Haifei Li, founder of the sandbox-based exploit detection platform EXPMON, who described the exploit as “highly sophisticated” and unlike anything he had previously analyzed.
A Zero-Click PDF Exploit
What makes this vulnerability particularly alarming is its delivery mechanism: the exploit triggers simply by opening a malicious PDF file, with no additional user interaction required beyond that single click. The exploit specifically targets the latest version of Adobe Reader, meaning fully up-to-date users remain at risk.
Li described it as a “fingerprinting-style” exploit — one that first silently profiles the victim’s system before executing its payload. This reconnaissance step suggests the attackers are selective about their targets, deploying additional exploit stages only against high-value victims.
What the Exploit Does
Once a victim opens the malicious PDF, the exploit leverages privileged Adobe Acrobat APIs — specifically util.readFileIntoStream and RSS.addFeed — to:
- Steal sensitive files from the victim’s system
- Deploy additional exploits as a second-stage payload
- Profile the environment to determine further attack vectors
The exploit bypasses Adobe’s sandboxing protections and operates with privileges that should not normally be accessible to PDF-embedded scripts.
Who Is Being Targeted?
Analysis of the malicious PDF documents revealed Russian-language lures referencing current events in the Russian oil and gas industry. This targeting pattern suggests the campaign may be focused on individuals working in or connected to Russia’s energy sector — potentially industrial espionage with nation-state involvement.
Threat intelligence analyst Gi7w0rm, who independently analyzed samples of the exploit, corroborated Li’s findings and confirmed the sophistication of the campaign.
No Patch Available Yet
As of the time of writing, Adobe has not released a fix for this vulnerability. The company has acknowledged the issue and is working on a patch, but organizations and individuals should consider interim mitigations immediately.
Recommended Mitigations
- Avoid opening unsolicited PDF files, especially from unknown or unexpected sources
- Use an alternative PDF reader (e.g., browser-based viewers like Chrome’s built-in PDF reader) until a patch is available
- Disable JavaScript in Adobe Reader: go to Edit → Preferences → JavaScript and uncheck “Enable Acrobat JavaScript”
- Enable Protected Mode in Adobe Reader settings for an additional layer of sandboxing
- Consider opening PDFs in isolated or virtual environments for sensitive workflows
This disclosure is a stark reminder that even trusted, ubiquitous applications like Adobe Reader can harbor critical unpatched vulnerabilities. Users should treat every unexpected PDF as a potential threat until Adobe releases a fix.