Zero-Day in Adobe Acrobat Reader (CVE‑2026‑34621) Enables File Theft via Malicious PDFs
What Happened – Researchers discovered a previously unknown vulnerability (CVE‑2026‑34621) in Adobe Acrobat/Reader that is being actively exploited. A specially crafted PDF can read arbitrary local files and exfiltrate them without any additional user interaction, and can also pull malicious JavaScript for further code execution.
Why It Matters for TPRM –
- The flaw bypasses Adobe’s sandbox, exposing any organization that allows PDF viewing on employee workstations.
- Data exfiltration can occur silently, compromising confidential files and increasing breach risk.
- The vulnerability is already exploited in the wild, meaning threat actors have functional exploit kits targeting third‑party vendors and their customers.
Who Is Affected – All industries that rely on Adobe Acrobat/Reader for document handling, including Technology & SaaS, Financial Services, Healthcare, Government, Education, and any managed‑service providers that distribute PDFs to end‑users.
Recommended Actions –
- Deploy Adobe’s emergency update (Acrobat DC 26.001.21411 or later; Acrobat 2024 24.001.30362/30360) across all endpoints immediately.
- Enforce strict PDF source validation and limit opening of unsolicited attachments.
- Verify that endpoint protection solutions block known malicious Adobe “Synchronizer” user‑agent strings.
- Monitor network traffic for unexpected outbound connections from Adobe processes.
Technical Notes – The exploit is triggered simply by opening a malicious PDF (no clicks or additional permissions). It reads arbitrary files, sends them to a command‑and‑control server, and can load remote JavaScript, potentially escaping the sandbox. Affected products: Acrobat DC 26.001.21367‑ and earlier; Acrobat Reader DC 26.001.21367‑ and earlier; Acrobat 2024 24.001.30356‑ and earlier (Windows/macOS). CVE‑2026‑34621. Source: Malwarebytes Labs