Adobe Acrobat Reader Zero-Day CVE-2026-34621 Exploited for Four Months Before Patch

Adobe has issued an emergency out-of-band security update for Acrobat Reader, patching a prototype pollution vulnerability that has been exploited in the wild since at least November 2025. CVE-2026-34621 carries a CVSS score of 8.6 and represents over four months of undetected zero-day exploitation against one of the most widely installed document viewers in enterprise environments.

The Vulnerability and Attack Chain

CVE-2026-34621 is a prototype pollution vulnerability — a class of JavaScript flaw where an attacker can manipulate properties of base JavaScript objects, leading to unexpected code execution. In the Acrobat Reader context, the flaw is triggered by opening a specially crafted PDF that contains embedded JavaScript.

Research by EXPMON documented the attack chain in detail:

1. The malicious PDF executes embedded JavaScript automatically upon opening — no additional user interaction beyond opening the file is required.
2. The script collects system intelligence — Acrobat Reader version, operating system details, environment metadata — and transmits it to a command-and-control server.
3. Based on the fingerprint response, the C2 server delivers additional JavaScript to perform advanced environment profiling.
4. For confirmed high-value targets on exploitable configurations, the C2 delivers Remote Code Execution and sandbox escape (SBX) exploits.

The staged C2-driven payload delivery is characteristic of sophisticated threat actors who conserve their most capable exploits for specific targets, making mass detection by sandboxes and automated analysis more difficult.

Four Months of Exploitation

The gap between first exploitation (November 2025) and today’s patch (April 2026) is significant. Adobe’s official advisory acknowledges exploitation in the wild, and CISA’s KEV addition on the same day confirms government confidence in the active exploitation assessment.

This dwell time means that enterprise environments relying on PDF email scanning or gateway inspection may have had this attack vector available to adversaries for the entirety of Q4 2025 and Q1 2026. Any suspicious PDF received during that window that was opened in an unpatched Acrobat Reader instance should be treated as a potential compromise indicator.

Affected and Fixed Versions

Adobe has addressed CVE-2026-34621 in:

• Acrobat DC and Acrobat Reader DC: v26.001.21411 (Windows and macOS)
• Acrobat 2024: v24.001.30362 (Windows), v24.001.30360 (macOS)

The patch is available through Adobe’s automatic update mechanism and through the Adobe Security Bulletin APSB26-43.

CISA has set 27 April 2026 as the remediation deadline for Federal Civilian Executive Branch agencies.

Recommended Actions

1. Apply the Adobe patch immediately via Adobe Updater or by downloading from the Adobe Security Bulletin APSB26-43. This affects all enterprise deployments of Acrobat Reader DC and Acrobat 2024.
2. Audit email security logs from November 2025 onwards for PDF attachments that were delivered to users and opened in Acrobat Reader. These represent potential exposure events.
3. Consider enabling Protected View in Acrobat Reader settings (Files from Potentially Unsafe Locations) if not already enforced — this mitigates some JavaScript execution vectors in PDFs, though it is not a substitute for patching.
4. Review endpoint detection telemetry for unusual process spawning from AcroRd32.exe or Acrobat.exe since November 2025 — child processes, network connections from the reader process, or suspicious file writes are indicators of compromise.
5. Enforce PDF reader policy via endpoint management: ensure Acrobat Reader auto-update is enabled across the fleet and confirm version compliance within 24 hours given the extended exploitation window.