Adobe Reader Zero-Day Has Been Exploited Through Malicious PDFs Since Late 2025

Introduction

A previously unknown zero-day vulnerability in Adobe Reader has been actively exploited through weaponized PDF documents since at least December 2025. Security researcher Haifei Li from EXPMON described the exploit as highly sophisticated, and the first malicious sample appeared on VirusTotal in late November 2025 — months before public disclosure.

What Happened

Researchers identified a crafted PDF file, initially uploaded as "Invoice540.pdf," that exploits an unpatched flaw in Adobe Reader. Unlike simple macro-based attacks, this exploit leverages a deep vulnerability in the PDF rendering engine itself. When a victim opens the document in a vulnerable version of Adobe Reader, the exploit triggers silently — no additional user interaction beyond opening the file is required. A second variant of the malicious PDF was later identified, indicating that the attack is not a one-off but part of an ongoing campaign. The exploit has been circulating in the wild for approximately four months before being publicly flagged, giving attackers a significant head start against defenders.

Why It Matters

PDFs remain one of the most trusted file formats in business. Invoices, contracts, reports, and resumes are exchanged as PDFs every day across every industry. A zero-day that requires nothing more than opening a PDF turns every inbox into a potential attack vector. The fact that this exploit was active for months before detection highlights a recurring blind spot: organizations often focus endpoint security on executable files and scripts while treating document formats as lower-risk. Attackers know this and continue to exploit the gap.

Who Is Affected

  • Any organization or individual using Adobe Acrobat Reader on Windows, macOS, or Linux
  • Finance, legal, and HR teams that routinely open PDF attachments from external sources
  • Enterprises without sandboxed PDF viewing or email attachment scanning
  • Users running outdated versions of Adobe Reader without automatic updates enabled

How to Protect Yourself

1. Update Adobe Reader immediately

Open Adobe Reader and check for the latest patch:

Help → Check for Updates

Or download the latest version directly from Adobe's security bulletins page.

2. Enable Protected View in Adobe Reader

This runs PDFs in a restricted sandbox, limiting what an exploit can do:

Edit → Preferences → Security (Enhanced)
→ Enable "Protected View" for "All files"

3. Scan PDF attachments before opening

If your email gateway doesn't already detonate attachments in a sandbox, consider adding that capability. For manual checks:

# Upload suspicious PDFs to VirusTotal via CLI
vt file scan Invoice540.pdf

# Or use a local tool like pdf-parser to inspect structure
python pdf-parser.py -a suspicious.pdf

4. Block PDFs from auto-opening in email clients

Configure Outlook or your email client to download attachments rather than preview them. Disable automatic rendering of embedded content.

5. Deploy application control or EDR with PDF exploit detection

Modern EDR solutions can detect anomalous behavior spawned from reader processes. Ensure your endpoint agent monitors AcroRd32.exe and Acrobat.exe for child process creation and network connections.

6. Educate users on unsolicited PDF attachments

Remind staff that invoices and documents arriving unexpectedly — especially from unknown senders — should not be opened without verification, regardless of file type.

Source

Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 — The Hacker News