Adobe Acrobat and Reader CVE-2026-34621 Zero-Day Exploitation

hello@craftedsignal.io — Mon, 13 Apr 2026 15:37:41 +0000

Adobe has addressed CVE-2026-34621, a zero-day vulnerability affecting Acrobat DC, Acrobat Reader DC, and Acrobat 2024 versions on both Windows and macOS. This flaw has been actively exploited in the wild since at least December, with initial discovery occurring after a malicious PDF sample named “yummy_adobe_exploit_uwu.pdf” was submitted for analysis. The vulnerability allows specially crafted PDF files to bypass sandbox restrictions, invoke privileged JavaScript APIs, and potentially execute arbitrary code. Successful exploitation can lead to reading and stealing arbitrary local files. The impacted versions include Acrobat DC and Reader DC versions 26.001.21367 and earlier, as well as Acrobat 2024 versions 24.001.30356 and earlier. This zero-day requires immediate patching across enterprise and personal environments.

Attack Chain

Attacker crafts a malicious PDF file containing JavaScript code designed to exploit CVE-2026-34621.
The attacker distributes the malicious PDF via email, web download, or other means.
The victim opens the malicious PDF in a vulnerable version of Adobe Acrobat or Reader.
The vulnerability allows the malicious PDF to bypass sandbox restrictions.
The PDF invokes privileged JavaScript APIs, such as util.readFileIntoStream(), to read arbitrary local files.
The PDF utilizes RSS.addFeed() to exfiltrate the stolen data to an attacker-controlled server.
The attacker gains access to sensitive information stored on the victim’s machine.
The attacker uses the initial access for further exploitation, such as lateral movement or data exfiltration.

Impact

Successful exploitation of CVE-2026-34621 allows attackers to bypass sandbox restrictions within Adobe Acrobat and Reader, leading to arbitrary code execution and unauthorized access to local files. This could result in the theft of sensitive data, such as credentials, financial information, or intellectual property. Although the number of victims is currently unknown, security researcher Gi7w0rm spotted attacks in the wild that leveraged Russian-language documents with oil and gas industry lures, and the potential impact is significant, especially for organizations that handle sensitive information in PDF documents.

Recommendation

Immediately update Adobe Acrobat DC and Reader DC to version 26.001.21411 or later, and Acrobat 2024 to version 24.001.30362 (Windows) or 24.001.30360 (Mac) via ‘Help > Check for Updates’ to remediate CVE-2026-34621.
Implement the “Detect Execution of Suspicious JavaScript in PDFs” Sigma rule to identify potential exploitation attempts within your environment.
Monitor file creation events for files matching the name “yummy_adobe_exploit_uwu.pdf” or similar filenames identified during future investigations.
Educate users to be cautious when opening PDF files from untrusted sources and encourage them to verify the sender’s authenticity before opening any attachments.

Adobe RdrCEF.exe Hijack for Persistence

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

This detection identifies a persistence technique where attackers replace Adobe Acrobat Reader’s RdrCEF.exe with a malicious executable. This allows the attacker to gain persistence, as their malicious file will be executed every time the user launches Adobe Acrobat Reader DC. The rule focuses on detecting the file creation event of a file named RdrCEF.exe in the Adobe Acrobat Reader directory. The targeted versions are those using the RdrCEF.exe file located within the AcroCEF subdirectory. The purpose of this technique is to maintain unauthorized access to a compromised system. This technique was publicly discussed on Twitter as early as 2018.

Attack Chain

Initial access is gained through an existing compromise or vulnerability.
The attacker locates the RdrCEF.exe file within the Adobe Acrobat Reader installation directory (e.g., C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\).
The legitimate RdrCEF.exe file is either deleted or renamed.
A malicious executable is created or copied and renamed to RdrCEF.exe in the same directory.
The system is used as normal, and whenever Adobe Acrobat Reader DC is launched, the malicious RdrCEF.exe is executed.
The malicious executable performs its intended actions, such as establishing a reverse shell, injecting code into other processes, or exfiltrating data.
The attacker maintains persistent access to the compromised system.

Impact

A successful attack allows the attacker to maintain persistent access to the compromised system. The attacker can then perform various malicious activities, such as stealing sensitive data, installing additional malware, or using the system as a foothold for lateral movement within the network. The compromise affects any user who launches Adobe Acrobat Reader on the infected machine.

Recommendation

Enable Sysmon file creation logging (Event ID 11) to detect the creation of RdrCEF.exe in the specified Adobe Acrobat Reader directories to enable the rule “Deprecated - Adobe Hijack Persistence” (Data Source: Sysmon).
Deploy the Sigma rule “Detect Adobe RdrCEF.exe File Creation” to your SIEM and tune for your environment.
Investigate any alerts generated by the provided Sigma rule, focusing on identifying the origin and purpose of the created RdrCEF.exe file.
Monitor for unusual process execution originating from the RdrCEF.exe file location.

Adobe — CraftedSignal Threat Feed

Adobe Acrobat and Reader CVE-2026-34621 Zero-Day Exploitation

Attack Chain

Impact

Recommendation

Adobe RdrCEF.exe Hijack for Persistence

Attack Chain

Impact

Recommendation