Zero-Day Alert: Sophisticated PDF Exploit Targets Adobe Reader for Massive Data Theft

A highly-sophisticated zero-day exploit has been discovered targeting Adobe Reader users, allowing attackers to steal local files and potentially gain full control of victim systems. Detected by the EXPMON system on March 26, 2026, the exploit leverages unpatched vulnerabilities to bypass standard security measures without requiring any user interaction beyond simply opening a malicious PDF.

The exploit is designed as a multi-stage attack that first harvests information to “fingerprint” the victim’s system before potentially launching more destructive payloads. By abusing privileged Acrobat APIs, the malware can read any file accessible by the sandboxed Reader process.

The attack utilizes two specific APIs to achieve its goals:

• util.readFileIntoStream(): This allows the exploit to “read arbitrary files… on the local system” and steal sensitive local data.
• RSS.addFeed(): This is weaponized to both send stolen information to an attacker-controlled server and “receive additional JavaScript code to be executed”.

The discovery of this exploit was made possible through EXPMON’s “Big Data Analytics” (BDA) process, which hunts for abnormalities across millions of logs. Analysts found that the malicious PDF, curiously titled “yummy_adobe_exploit_uwu.pdf” by its submitter, used heavily obfuscated JavaScript to hide its intent.

Manual analysis confirmed the sophistication of the code. Once the initial obfuscation was stripped away, researchers found the script was designed to collect:

• Language settings and exact OS versions.
• Adobe Reader version numbers.
• The local path of the PDF file.

To evade network-based detection, the malware utilizes “cryptography to decrypt the payload” returned from the remote server.

While the primary observed behavior is data theft, the exploit’s architecture allows for far more dangerous follow-on attacks. Researchers noted that the server can deliver additional code that could achieve Remote Code Execution (RCE) or a Sandbox Escape (SBX).

In a controlled test, researchers modified the exploit to connect to a private server. When the server returned a simple alert command, “it was successfully executed by the Adobe Reader client,” confirming the ability to launch future high-level exploits.

This vulnerability is currently unpatched and has been confirmed to work on the latest versions of Adobe Reader. While EXPMON is notifying Adobe Security, users are urged to remain on high alert.

Update on April 11

This flaw is tracked as CVE-2026-34621 (CVSS 9.6), and lead to arbitrary code execution. “ Adobe is aware of CVE-2026-34621 being exploited in the wild,” the company confirms.