Zero‑Day in Adobe Acrobat Reader Actively Exploited via Malicious PDFs Since December 2025
What Happened — A previously unknown vulnerability in Adobe Acrobat Reader is being weaponised in the wild. Attackers distribute specially‑crafted PDF files that trigger the flaw as soon as the document is opened, allowing data theft through Acrobat APIs and paving the way for remote‑code execution.
Why It Matters for TPRM —
- Third‑party endpoints that process PDFs become a direct foothold for threat actors.
- Compromise of a widely‑deployed client application can cascade into downstream supply‑chain risk for vendors that embed PDFs in reports, invoices, or contracts.
- No patch is currently available, leaving organisations reliant on mitigations and heightened monitoring.
Who Is Affected — Enterprises across all sectors that rely on Adobe Reader for document handling, notably Technology / SaaS, Financial Services, Healthcare, and Government agencies.
Recommended Actions
- Enforce strict PDF handling policies: block PDFs from unknown senders and sandbox them before opening.
- Deploy network detection for the “Adobe Synchronizer” User‑Agent string and block associated traffic.
- Accelerate patch management once Adobe releases an update; in the interim, apply application‑level mitigations (e.g., disable vulnerable Acrobat APIs via configuration).
- Review third‑party contracts that require PDF exchange and verify that vendors have comparable controls.
Technical Notes — The exploit leverages a zero‑day vulnerability in the latest Adobe Reader version, requires only the opening of a PDF (no macro or additional user interaction), and abuses the util.readFileIntoStream and RSS.addFeed APIs to harvest local files. Threat actors embed Russian‑language lures tied to the oil‑and‑gas sector, suggesting a targeted espionage motive. Monitoring for the “Adobe Synchronizer” string in HTTP/HTTPS headers is an effective early‑warning measure. Source: BleepingComputer