Patches Released for Adobe Zero-Day Vulnerability CVE-2026-34621

THE THREAT

On April 11th, 2026, Adobe published a security advisory addressing a previously reported zero-day vulnerability impacting multiple versions of Acrobat Reader. The flaw, tracked as CVE-2026-34621 (CVSS: 8.6), is an arbitrary command execution vulnerability that has been exploited in the wild since at least November 2025.

Given the active exploitation of the flaw, organizations are recommended to upgrade Acrobat Reader to its latest secure versions.

What we’re doing about it

• eSentire has developed detections within MDR for Network in response to this disclosure
• eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2026-34621
• Known IoCs have been added to eSentire's Threat Intelligence Platform (TIP) and are available for Threat Feed subscribers
• Known malicious infrastructure has been added to eSentire's Global Block List available to eSentire MDR for Network customers
• eSentire's Threat Response Unit (TRU) is evaluating additional detection opportunities within MDR for Endpoint

What you should do about it

• After performing a business impact review, apply the relevant security patches
• Treat all PDF files from untrusted sources as suspicious and avoid opening them unless verified
• Disable or restrict JavaScript execution in PDF readers where not required
• Educate users about the risks of opening unknown attachments by conducting regular Phishing and Security Awareness Trainings (PSATs)

Additional information

On April 7th, Haifei Li from EXPMON disclosed a flaw in Adobe Acrobat Reader that was being exploited since at least December 2025. The threat actors targeted the application using a malicious PDF file embedded with a JavaScript (JS) code. Another security researcher found an artifact from November 2025, suggesting active exploitation for at least four months.

As per EXPMON research, the malicious PDF executes embedded JS code upon opening. The script collects system information, including the Acrobat Reader version, and sends it to a Command-and-Control (C2) server. In response, additional JS code is fetched from the C2 server to enable advanced fingerprinting. Eventually, Remote Code Execution (RCE) and sandbox (SBX) escape exploits may be deployed on the compromised host. CVE-2026-34621 allows attackers to harvest system information, potentially leading to RCE.

Exploitation requires user interaction, specifically opening a malicious PDF file. Ensuring that users do not interact with suspicious PDFs from untrusted sources can help defend against this threat. Adobe’s advisory notes that the CVSS score for CVE-2026-34621 was adjusted from 9.6 to 8.6, suggesting a reevaluation of the flaw. It also does not explicitly mention RCE in the impact, instead describing it as arbitrary code execution. Despite the revised CVSS score and no mention of RCE, CVE-2026-34621 requires prompt attention, as active exploitation has been confirmed. Given the popularity of Adobe Acrobat Reader, organizations are recommended to apply the relevant security patches immediately to avoid the risk of exploitation.

Impacted Versions List:

• Adobe Acrobat DC versions 26.001.21367 and earlier
• Adobe Acrobat Reader DC versions 26.001.21367 and earlier
• Adobe Acrobat versions 2024 24.001.30356 and earlier

References:

[1] https://helpx.adobe.com/security/products/acrobat/apsb26-43.html
[2] https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-34621