Zero‑Day in Adobe Reader Exploited via Malicious PDFs Since December 2025
What Happened — Researchers observed a previously unknown zero‑day vulnerability in Adobe Reader being weaponized in malicious PDF files as early as December 2025. The exploit chain delivers remote code execution, allowing threat actors to take control of vulnerable endpoints.
Why It Matters for TPRM —
- Any third‑party that distributes or consumes PDF documents using Adobe Reader is exposed to a high‑impact attack surface.
- Compromise of a vendor’s workstation can serve as a foothold for lateral movement into your organization’s network.
- The vulnerability is actively exploited in the wild, leaving little time for reactive controls.
Who Is Affected — Enterprises across all sectors that rely on Adobe Reader for document handling, especially SaaS providers, financial services, healthcare, and government agencies.
Recommended Actions —
- Verify that all Adobe Reader installations are updated to the latest patched version (or apply Adobe’s emergency mitigation if a patch is not yet released).
- Enforce PDF sandboxing or disable JavaScript execution in Adobe Reader where feasible.
- Deploy endpoint detection and response (EDR) rules to flag anomalous PDF activity.
- Review third‑party contracts for clauses requiring timely security patching of client‑side software.
Technical Notes — The exploit is delivered via a crafted PDF (“Invoice540.pdf”) first seen on VirusTotal on 28 Nov 2025. It leverages a memory‑corruption flaw (CVE‑pending) that enables arbitrary code execution without user interaction beyond opening the file. No public CVE identifier has been assigned yet. Source: The Hacker News