RadioCSIRT English Edition – Adobe ZeroDay - CVE-2026-34621 - Ep.78 cover art

RadioCSIRT English Edition – Adobe ZeroDay - CVE-2026-34621 - Ep.78

RadioCSIRT English Edition – Adobe ZeroDay - CVE-2026-34621 - Ep.78

Listen for free

View show details

About this listen

 On April 9, 2026, researcher Haifei Li, founder of EXPMON — a sandbox-based exploit detection system — publicly disclosed the existence of a zero-day vulnerability in Adobe Acrobat Reader actively exploited in the wild for at least five months. Adobe was notified on April 7. The vulnerability has since been confirmed by Adobe, assigned CVE-2026-34621, rated Critical at CVSS 9.6, and addressed in emergency security update APSB26-43. All Adobe Reader users must apply this patch immediately.The attack vector is a specially crafted PDF requiring no user interaction beyond opening the file. Heavily obfuscated JavaScript executes automatically, abusing two sandboxed Acrobat APIs outside their expected context: util.readFileIntoStream to collect local files and sensitive system data, and RSS.addFeed to exfiltrate that data to a C2 server and receive additional AES-encrypted JavaScript payloads. The exploitation chain has three identified phases. Phase one — confirmed — performs system fingerprinting: OS version, language settings, local file paths, Adobe Reader version, transmitted to the C2 for server-side victim filtering. Sandbox environments receive empty C2 responses and leave no trace; only real targets proceed. Phase two — confirmed — enables local file exfiltration on systems the operator determines are of interest. Phase three — remote code execution combined with sandbox escape — is not yet confirmed but assessed as probable by the research community.Two known samples define the campaign timeline. Version one, uploaded to VirusTotal on November 28, 2025: prototype phase, lighter obfuscation, C2 on a bare IP, broad OS targeting, initial detection rate of two out of sixty-four VirusTotal engines. Version two, uploaded March 23, 2026: production phase, hardened obfuscation, domain-based C2, focused Windows 10 targeting. A third version is inferred from an observed /S12 endpoint targeting Reader version 25.x — which runs on Windows 11 — confirming active ongoing development at the time of disclosure. The lure documents contain Russian-language content referencing current events in Russia's oil and gas sector, consistent with targeted energy sector espionage rather than commodity malware distribution.The confirmed C2 IP is 188.214.34.20 on port 34123 — currently offline. The network-level behavioral IOC to block is any outbound HTTP request whose user-agent header contains the string adobe synchronizer. Known malicious filenames include Invoice540.pdf alongside generic decoy names. SHA-256 hashes for both confirmed samples are published in the EXPMON and N3mes1s forensic reports. The retroactive threat hunting window is November 2025 to the present — five months of potential undetected exposure in organizations where PDF workflows are standard.Immediate actions: apply Adobe emergency patch APSB26-43 covering CVE-2026-34621. Block outbound HTTP traffic with user-agent containing adobe synchronizer. Block C2 IP 188.214.34.20 on port 34123. Monitor for outbound network connections initiated by AcroRd32.exe or Acrobat.exe toward non-standard ports. Run retroactive IOC search in SIEM and EDR covering the full five-month exposure window. Alert staff to the risk of PDF attachments regardless of sender — lure documents in this campaign are contextually plausible invoices and sector-relevant content.SourcesEXPMON / Haifei Li – EXPMON detected sophisticated zero-day fingerprinting attack targeting Adobe Reader users : https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.htmlBleepingComputer – Hackers exploiting Acrobat Reader zero-day flaw since December : https://www.bleepingcomputer.com/news/security/hackers-exploiting-acrobat-reader-zero-day-flaw-since-december/Security Affairs – Malicious PDF reveals active Adobe Reader zero-day in the wild : https://securityaffairs.com/190558/hacking/malicious-pdf-reveals-active-adobe-reader-zero-day-in-the-wild.htmlDon't think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.com WeeklyNewsletter: https://radiocsirtenglishedition.substack.com/#RadioCSIRT #CyberSecurity #ThreatIntelligence #CTI #AdobeReader #ZeroDay #CVE202634621 #PDF #EXPMON #Malware
No reviews yet
In the spirit of reconciliation, Audible acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.