Hackers Exploit Adobe PDF Flaw for Months to Steal Data, No Fix Yet

Attackers have been exploiting a zero-day vulnerability in Adobe Acrobat Reader for months, using malicious PDF files to silently steal data and potentially take over victim systems.

Active since at least December 2025, the campaign highlights how a seemingly routine document can serve as an effective entry point for system compromise.

This exploit “allows the threat actor to not only collect or steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim’s system,” said Haifei Li, security researcher and founder of EXPMON, as reported by BleepingComputer.

Inside the Acrobat Reader zero-day

The vulnerability impacts Adobe Acrobat Reader and can be triggered simply by opening a malicious PDF, lowering the barrier for attackers and increasing the effectiveness of phishing campaigns.

Researchers found that the flaw has already been leveraged in targeted attacks for at least four months.

At a technical level, the exploit abuses legitimate Acrobat APIs to extract sensitive data while using a fingerprinting-style approach to assess the victim’s environment and tailor its execution. This adaptive approach improves the exploit’s success rate while making it more difficult to detect.

Malicious PDF files are crafted to trigger the vulnerability immediately upon opening, requiring no additional user interaction. Once executed, the exploit leverages privileged APIs such as util.readFileIntoStream and RSS.addFeed to access local files and system data. This enables attackers to collect sensitive information directly from the endpoint.

Beyond data theft, the vulnerability can enable follow-on attacks such as remote code execution and sandbox escape, potentially allowing attackers to gain full control of compromised systems.

Attack scope

Researchers also identified a targeted element in the campaign, with malicious PDFs using Russian-language lures tied to developments in the oil and gas sector.

While this suggests a focus on specific regions or industries, the underlying exploit can be adapted for broader use across other targets.

At the time of publication, Adobe has not released a patch for this vulnerability, leaving organizations reliant on existing controls and user awareness to mitigate risk.

Steps to reduce PDF attack risk

To reduce risk, organizations should apply layered controls that address both user behavior and system configurations.

• Avoid opening PDF files from unknown or untrusted sources and enforce strong email filtering and attachment sandboxing.
• Harden Adobe Reader settings by disabling JavaScript, restricting embedded content, and enforcing protected or sandboxed modes.
• Use isolation techniques such as virtual desktops or sandbox environments to safely open and analyze PDF files.
• Monitor endpoint and network activity for suspicious behavior, including unusual API calls, outbound traffic, and Adobe Synchronizer User-Agent strings.
• Restrict outbound network connections and apply DNS or domain filtering to limit data exfiltration paths.
• Apply least privilege, privileged access management (PAM), and application control policies to restrict and monitor access to sensitive files and system resources.
• Test incident response plans, conduct proactive threat hunting, and use attack simulation tools with phishing attack scenarios.

This campaign reflects a broader trend of attackers leveraging trusted file formats and built-in application functionality to bypass traditional security controls.

PDF-based exploits remain effective because they closely align with normal business workflows, making malicious activity harder to distinguish from legitimate use.

Editor’s note: This article was originally published on our sister publication, eSecurityPlanet.