# Zero-Day Vulnerability in Adobe Acrobat Reader: How JavaScript API Was Exploited to Steal Files
Adobe has patched a critical vulnerability CVE-2026-34621 in Acrobat Reader that allowed malicious PDF files to bypass the sandbox and execute arbitrary code without user interaction. The exploit used privileged JavaScript APIs to read local files and download additional payloads—all this happened just by opening the document.
Attack Mechanism via JavaScript API
The vulnerability stemmed from insufficient isolation between the PDF JavaScript execution environment and the host system. Although Acrobat Reader uses a sandbox to restrict script actions, researchers found that certain API methods remained accessible even in the restricted context. Two key methods formed the basis of the exploit:
util.readFileIntoStream()— allows reading the contents of arbitrary files on the local file system;RSS.addFeed()— used for adding external RSS feeds, but in this case, attackers used it to exfiltrate data and fetch additional code from a remote server.
Combining these functions not only enables stealing confidential files (e.g., C:\Users\...\credentials.txt), but also downloading the second stage of the attack—such as shellcode or a backdoor.
Exploit Detection and Analysis
A sample malicious PDF named yummy_adobe_exploit_uwu.pdf was submitted to the EXPMON system on March 26, 2026. Although the file appeared on VirusTotal as early as March 23, only five out of 64 antivirus solutions detected it as a threat. This indicates a high degree of obfuscation and the novelty of the exploitation technique.
Haifei Li, founder of EXPMON, initiated a manual analysis after the "deep detection" function triggered—a special module developed specifically for detecting complex exploits in Adobe Reader. The analysis confirmed the use of a zero-day active since at least December 2025.
Meanwhile, security researcher Gi7w0rm discovered real-world attacks targeting Russian-speaking organizations in the oil and gas sector. Lures used documents themed around industry tenders or technical specifications, increasing the likelihood of the target audience opening the file.
Affected Versions and Updates
Adobe has released emergency patches for the following products:
- Acrobat DC — versions up to 26.001.21367 (fix: 26.001.21411);
- Acrobat Reader DC — versions up to 26.001.21367 (fix: 26.001.21411);
- Acrobat 2024 — versions up to 24.001.30356 (fix: 24.001.30362 for Windows, 24.001.30360 for macOS).
Updates are recommended via the Help → Check for Updates menu, or by manually downloading the installer from Adobe's official website. The security bulletin lists no temporary workarounds—the only protection at the time of publication is installing the patch.
Recommendations for Cybersecurity Specialists and Developers
To reduce risks when working with PDF documents from untrusted sources:
- Open suspicious files in an isolated environment (e.g., a virtual machine without network access);
- Disable JavaScript execution in Acrobat Reader settings if the functionality is not needed;
- Use EDR/XDR solutions capable of monitoring API calls like
util.readFileIntoStream(); - Configure SIEM systems to detect unusual access to local files from processes like
AcroRd32.exeorAdobe Acrobat Reader.app.
It's important to understand that even "just viewing" a PDF can become an entry point for APT groups, especially if the document came via email from an unknown sender.
Key Takeaways
- Vulnerability CVE-2026-34621 allows bypassing the Acrobat Reader sandbox via JavaScript API.
- The attack requires no user interaction—just open the PDF.
- Methods
util.readFileIntoStream()andRSS.addFeed()are used to steal data and download payloads. - Real-world attacks target the oil and gas sector using Russian-language lures.
- The only protection is immediate update to the patched versions.
— Editorial Team
No comments yet.