Active Zero-Day Exploit Targeting Adobe Reader Users

Severity: High (Score: 76.0)

Sources: Heise.De, Feeds2.Feedburner, Bleepingcomputer, Cybersecuritynews, Theregister

Summary

A zero-day vulnerability in Adobe Reader has been actively exploited since at least December 2025, allowing attackers to execute remote code and steal sensitive data through malicious PDF files. Security researcher Haifei Li identified the exploit, which does not require user interaction beyond opening a PDF document. The exploit leverages a memory corruption flaw and utilizes sophisticated techniques to evade detection, including in-memory execution and obfuscation. Attackers have been observed using Russian-language lures related to the oil and gas industry to target victims. The vulnerability affects the latest version of Adobe Reader, and organizations are advised to refrain from opening untrusted PDF files until a patch is released. Adobe has been notified of the issue, but no patch has been issued as of the latest reports. The exploit's sophistication suggests potential involvement from well-resourced threat actors, possibly nation-state linked. Key Points: • A zero-day vulnerability in Adobe Reader allows remote code execution via malicious PDFs. • The exploit has been active since at least December 2025, targeting users without interaction. • Attackers are using sophisticated evasion techniques, including in-memory execution.

Key Entities

• Malware (attack_type)
• Zero-day Exploit (attack_type)
• T1005 - Data From Local System (mitre_attack)
• T1203 - Exploitation for Client Execution (mitre_attack)
• Acrobat (platform)
• Adobe Acrobat Reader (platform)
• Adobe Reader (platform)
• SessionReaper (vulnerability)