Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Reader Zero-Day Exploited for Months: Researcher

Reputable researcher Haifei Li has come across what appears to be a PDF designed to exploit an unpatched vulnerability.

Adobe vulnerabilities

A researcher has come across what appears to be an actively exploited Adobe Reader zero-day vulnerability.

Haifei Li is asking the cybersecurity community for assistance in investigating what he describes as a sophisticated PDF exploit.

Li is a reputable researcher who over the past two decades has worked at Fortinet, Microsoft, McAfee, and Check Point. He is the founder and developer of Expmon, a sandbox-based system designed to detect file-based zero-days and other exploits.

The new Reader exploit was detected by Expmon, and an analysis showed that the identified PDF “acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits”.

The researcher believes the PDF exploits a zero-day vulnerability as the attack has been confirmed to work against the latest version of Adobe Reader.

While Li has confirmed that the identified exploit collects user and other data from the compromised system, he was unable to reproduce the complete attack chain and obtain additional payloads that may be used for a sandbox escape or remote code execution. 

Advertisement. Scroll to continue reading.

SecurityWeek has reached out to Adobe, but it may take some time for the company to share information on its assessment considering that it only received the details of the exploit on or around April 7. 

Exploits targeting the potential zero-day have been submitted to both Expmon and VirusTotal. One sample identified on VirusTotal was submitted in November 2025, which indicates that the vulnerability has been exploited for at least 4 months.

One threat intelligence analyst who reviewed the exploits noted that the malicious PDFs contained Russian-language lures and referenced current events in Russia’s oil and gas sector. 

Adobe has credited Li with reporting several Reader and Acrobat vulnerabilities in recent years, including critical code-execution flaws. 

However, in the case of a Reader vulnerability discovered in 2024 and tracked as CVE-2024-41869, Adobe has not confirmed in-the-wild exploitation after Li reported coming across a PDF that apparently attempted to weaponize the bug. 

Related: Adobe Patches 80 Vulnerabilities Across Eight Products

Related: Patch Tuesday: Adobe Fixes 44 Vulnerabilities in Creative Apps

Related: TrueConf Zero-Day Exploited in Asian Government Attacks

Related: Fortinet Rushes Emergency Fixes for Exploited Zero-Day

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.