Adobe has released an emergency patch addressing a critical zero‑day vulnerability in Acrobat and Reader (CVE‑2026‑34621), which has been actively exploited in the wild since December 2025. This flaw allowed attackers to weaponize malicious PDF files to achieve arbitrary code execution, bypassing sandbox protections and enabling full system compromise.
XEye Security published a detailed blog post warning about this exploit. We highlighted how attackers were using invoice‑themed phishing PDFs to deliver payloads capable of fingerprinting systems, escaping Reader’s sandbox, and executing remote code.
On April 12, 2026, Adobe issued updates to close the vulnerability:
- Acrobat DC / Reader DC: Version 26.001.21411
- Acrobat 2024 (Windows): Version 24.001.30362
- Acrobat 2024 (macOS): Version 24.001.30360
The company confirmed that exploitation had been ongoing for months, making this patch essential for all users.
Regulatory Pressure
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑34621 to its Known Exploited Vulnerabilities (KEV) catalog on April 13, 2026. Federal agencies are required to patch by April 27, 2026, underscoring the urgency of remediation.
Risks if Unpatched
- Remote code execution via malicious PDFs
- Potential data theft and lateral movement
- High risk of compromise in trusted business workflows
Mitigation & Best Practices
As we advised in our original blog:
- Make sure that Adobe Reader is updated immediately
- Block suspicious PDFs at email gateways
- Train staff to recognize invoice‑themed phishing attempts
- Deploy endpoint monitoring for abnormal PDF behavior
- Preserve forensic logs for investigations
- Install Malwarebytes WFC on Windows devices and switch to profile Medium and Display Notifications.
Conclusion
By patching immediately and following our recommended mitigations, you can close the door on one of the most dangerous PDF‑based exploits in recent years.
