A critical prototype pollution vulnerability in the world most popular PDF reader has been active in the wild for several months. This flaw allows for unauthenticated remote code execution on both Windows and macOS systems via the opening of a maliciously crafted document.
Tracked as CVE-2026-34621‚ the vulnerability resides in the JavaScript engine of @[Adobe](urn:li:organization:1480) Acrobat and Reader. Attackers have been leveraging this flaw since at least December 2025 to deliver secondary payloads and exfiltrate sensitive local data. CISA added this to the KEV catalog on April 13 following the release of an emergency patch from the vendor.
Document readers remain a primary vector for initial access because PDFs are a fundamental component of business operations. When a zero-day exploit remains undetected for months‚ it provides a stable window for sophisticated threat actors to maintain persistence across high-value enterprise endpoints.
– Update @[Adobe](urn:li:organization:1480) Acrobat and Reader to the latest security version ❨APSB26-43❩ immediately.
– Utilize MDM to disable JavaScript and untrusted API calls within PDF readers across the enterprise fleet.
– Deploy secure email gateways to pre-scan and neutralize suspicious PDF attachments before they reach the endpoint.
– Monitor for anomalous child processes spawned by Acrobat.exe or AdobeReader.app in EDR logs.
The longevity of this zero-day highlights the strategic advantage an adversary gains when targeting core productivity tools that are excluded from aggressive sandboxing. #CodeDefence #Adobe #ZeroDay #CISA
/