Adobe finally patches PDF pest after months of abuse

Adobe has shipped a fix for a critical Acrobat and Reader vulnerability, CVE-2026-34621, closing a hole that allegedly let booby-trapped PDFs execute arbitrary code on Windows and macOS. The update was released on April 11. It has been reported that attackers had been exploiting the bug for months, and Adobe itself says it is “aware of CVE-2026-34621 being exploited in the wild.”

How the attack worked

Researchers say the malicious PDFs used heavily obfuscated JavaScript that called legitimate Acrobat APIs to fingerprint hosts. Based on the profile, the payload either stopped at reconnaissance or pulled a second-stage implant capable of remote code execution or sandbox escape. Some documents were written in Russian and referenced oil-and-gas themes — it has been reported that those lures allegedly point to a selective, rather than spray-and-pray, campaign.

Timeline, impact and unanswered questions

Evidence suggests activity stretching back to at least late 2025, giving attackers a comfortable runway. The exploit reportedly blended into normal Reader behavior, evading signature-based defenses. The patch closes the door, but it does not rewind the clock — anyone who opened a malicious PDF during that window may already have been profiled or worse. It has been reported that Adobe has not disclosed how many users were affected, how the bug was discovered internally, or why public acknowledgement lagged behind external reporting.

What to do now

If you run Acrobat or Reader, update immediately. Don’t open unexpected PDFs, even from known contacts. Enterprises should hunt for suspicious Reader activity, review EDR telemetry and assume compromise if they saw signs of the campaign. Adobe may have closed the hole — but plenty already walked through the door.

Sources: The Register