A newly uncovered zero-day vulnerability in Adobe Reader is being actively exploited in the wild via malicious PDFs, allowing attackers to fingerprint systems, exfiltrate data, and potentially deploy follow-up exploits.
The flaw remains unpatched and affects the latest version of Adobe Reader.
The activity was discovered by EXPMON after a suspicious PDF sample was submitted to its public analysis system on March 26. The researchers conducted a manual analysis and uncovered a highly obfuscated JavaScript-based exploit embedded within the document. The malicious code executes automatically when the PDF is opened, requiring no additional user interaction. By decoding multiple layers of obfuscation, the researchers determined that the script abuses privileged Acrobat APIs that should not be accessible under normal sandbox restrictions.
At the center of the attack are two key APIs: util.readFileIntoStream() and RSS.addFeed(). The former enables the PDF to read arbitrary files accessible to the Adobe Reader sandbox, including sensitive system files. The latter is used as a covert communication channel, allowing the malware to both exfiltrate collected data and retrieve additional payloads from a remote server.
The exploit gathers extensive system information, including the victim’s OS version, Adobe Reader version, language settings, and file paths. Notably, it reads data from files such as ntdll.dll to derive precise operating system details, a technique often used to tailor follow-on exploits. This information is transmitted to an attacker-controlled server at 169.40.2.68:45191, where it likely informs whether the target is suitable for further compromise.
Although the initial exploit was confirmed to work against the latest version of Adobe Reader (26.00121367), researchers were unable to retrieve the suspected secondary payload during testing. However, controlled experiments demonstrated that the infrastructure can deliver additional JavaScript, which could be used to achieve remote code execution (RCE) or sandbox escape (SBX). In one test, a custom server response successfully executed arbitrary JavaScript within Adobe Reader, validating the attack chain’s potential.
EXPMON
Further testing also confirmed that the exploit can exfiltrate local files without needing additional payloads. Researchers modified the sample to read a .png file from the Windows system32 directory and successfully transmit it to a remote server, highlighting the severity of the data exposure risk even in the absence of a full system compromise.
A second variant of the exploit was identified on April 8 by security researcher Greg Lesnewich, using a different command-and-control server (188.214.34.20:34123). Historical samples suggest the campaign may have been active for at least 4 months, indicating a sustained, potentially targeted operation.
Until Adobe releases a security update addressing the vulnerability, users are advised to treat all PDF files from untrusted sources as potentially malicious. Organizations should consider blocking known attacker infrastructure and monitoring network traffic for suspicious indicators, such as HTTP requests containing the “Adobe Synchronizer” user agent string.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
