Researcher Reports on Potential Adobe Reader Zero-Day

Threat summary

On April 7, 2026, security researcher Haifei Li reported that their exploit‑monitoring tool detected what they believe to be an unpatched Adobe Acrobat Reader that is being exploited (zero-day). As of the time of this reporting, Adobe has not confirmed the issue, and no government cyber agency has issued supporting guidance.

The researcher’s description focuses on JavaScript‑based access to privileged Acrobat application programming interfaces (API) such as util.readFileIntoStream and RSS.addFeed. If accurate, this would enable unauthorized file access and potential data exfiltration.

The exploit allegedly relies on heavily obfuscated JavaScript embedded in a PDF. When opened, the script allegedly bypasses internal restrictions and accesses privileged APIs to read arbitrary local files and transmit them to remote infrastructure. This behavior enables data theft and provides a channel for additional payload delivery.

The researcher believes exploitation may have been occurring since November 28, 2025, based on a PDF uploaded to VirusTotal on that date, and referenced a second upload from March 23, 2026.

Researchers also reported on two files, “yummy_adobe_exploit_uwu.pdf” and “Invoice540.pdf,” which they associated with this activity. The campaign uses Russian‑language lures referencing the oil and gas sector, suggesting targeted distribution, though no confirmed attribution exists.

The claims remain unverified; Adobe has not acknowledged the vulnerability, and has not provided information on whether any patch is planned.

Analysis

We are treating this as a developing situation. The researcher’s claims have not been validated by Adobe or any authoritative channels such as government CSIRTs or the Cybersecurity and Infrastructure Security Agency. Monitoring for updates from those sources remains important, and we will update clients if verified information becomes available.

Organizations using Adobe Reader across Windows environments are potentially affected, though the risk remains unconfirmed. The alleged exploit requires only that a user open a malicious PDF, which would make exploitation low‑complexity if the vulnerability is real. The worst‑case scenario described involves remote code execution and sandbox escape, but no independent analysis has validated this behavior.

Organizations can reduce potential exposure by limiting the use of Adobe Reader for externally sourced PDF files until Adobe provides an official statement or patch. The vulnerability has not been confirmed, and these actions are precautionary recommendations for organizations that are concerned about the possibility of active exploitation. Many operating systems include built-in PDF viewers that do not support Adobe-specific JavaScript, which is where the alleged exploit resides. The following measures are optional risk-reduction steps for environments that rely heavily on Adobe Reader or have users who could be targeted.

Route untrusted or externally sourced PDF files to non-Adobe PDF viewers that do not support Adobe’s extended JavaScript APIs, reducing the conditions under which the alleged exploit can execute.

Restrict Adobe Acrobat Reader to workflows that explicitly require its advanced features, and use built in operating system PDF viewers for general document handling.

Disable JavaScript execution in Adobe Reader across managed environments where business requirements allow, lowering exposure to JavaScript based PDF attacks.

Apply application sandboxing or virtualization for Adobe Reader on high-risk endpoints to limit file system access if a malicious PDF is opened.

Increase monitoring for suspicious outbound connections and file access events associated with Adobe Reader processes, especially when handling externally sourced documents.

Scan inbound PDF attachments using advanced malware analysis tools capable of detecting embedded JavaScript and obfuscation patterns.

Track updates from Adobe and other authoritative sources to adjust controls once verified guidance or a patch becomes available.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up