Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
CVE-2026-34621 represents a critical prototype pollution vulnerability affecting Adobe Acrobat DC, Adobe Acrobat Reader DC, and Adobe Acrobat 2024 across Windows and macOS platforms. This vulnerability, categorized under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), is being actively exploited in the wild, transforming seemingly innocuous PDF documents into sophisticated attack vectors capable of local file access, data exfiltration, and potential arbitrary code execution. Evidence suggests this vulnerability may have been exploited as a zero-day since at least late November 2025, operating stealthily for approximately four months before public disclosure and patch availability in April 2026.
The vulnerability stems from insufficient input sanitization within Adobe Acrobat and Reader’s embedded JavaScript processing engine. JavaScript’s prototype-based inheritance system allows objects to inherit properties from shared prototypes such as Object.prototype. When user-controlled input is not adequately validated during PDF processing, attackers can manipulate these fundamental prototypes, effectively altering how objects behave across the entire application runtime. This prototype pollution enables serious security consequences including control-flow manipulation, security control bypass, and ultimately arbitrary code execution within the context of the PDF viewer application.
The exploitation chain begins when victims open specially crafted malicious PDF files, typically delivered through targeted spear-phishing campaigns or watering hole attacks. Upon opening the weaponized document, malicious JavaScript embedded within the PDF exploits the prototype pollution vulnerability to interact with privileged internal Adobe APIs that should be inaccessible to untrusted PDF content. Specifically, attackers leverage functions including util.readFileIntoStream() to access and read arbitrary files from the victim’s local filesystem, enabling exfiltration of sensitive data including credentials, configuration files, private keys, and proprietary documents.
Following initial file access, the exploit utilizes the RSS.addFeed() function to exfiltrate collected data to attacker-controlled remote servers. This RSS feed subscription mechanism, intended for legitimate document updates and content syndication, is abused to establish command-and-control communications. The attacker server responds with additional malicious JavaScript payloads, enabling dynamic attack evolution and multi-stage compromise. This bidirectional communication channel allows threat actors to profile victim environments, selectively escalate to more sophisticated attacks based on target value, and potentially achieve full system compromise through sandbox escape techniques.
The vulnerability affects multiple Adobe product lines and deployment tracks. Acrobat DC and Acrobat Reader DC on the Continuous update track are vulnerable up to version 26.001.21367, while Acrobat 2024 on the Classic 2024 track is vulnerable up to version 24.001.30356. Both Windows and macOS installations are affected, creating a broad attack surface across enterprise and consumer environments. While exploitation requires user interaction to open malicious PDF files, the low attack complexity and absence of authentication requirements make this vulnerability highly effective in social engineering scenarios where users routinely open PDF attachments.
Adobe initially assigned CVE-2026-34621 a CVSS v3.1 score of 9.6, reflecting a network-based attack vector classification. However, on April 12, 2026, Adobe revised the advisory, reclassifying the attack vector from Network to Local and adjusting the CVSS score to 8.6. Despite this numerical reduction, Adobe maintains the vulnerability’s classification as Critical with Priority 1 remediation urgency, acknowledging confirmed active exploitation and the severity of potential impacts.
The timeline of exploitation reveals concerning indicators of prolonged zero-day abuse. The earliest known exploit sample appeared on VirusTotal on November 28, 2025, though this upload does not definitively establish the initial exploitation date. Analysis suggests active exploitation likely began in December 2025. The vulnerability remained undetected by major security vendors until March 23, 2026, when EXPMON threat intelligence detected a malicious sample. A second distinct exploit sample surfaced on March 26, 2026. Adobe released emergency security patches on April 8, 2026, followed by a second exploit discovery on April 11, 2026, suggesting multiple threat actors may possess working exploits.
This extended zero-day exploitation window of approximately four months allowed attackers to operate with minimal detection, compromising potentially thousands of victims before public awareness and patch availability. The low initial detection rates and stealthy operational characteristics suggest sophisticated threat actor involvement, potentially including state-sponsored advanced persistent threat groups or well-resourced cybercriminal organizations with access to vulnerability research and exploit development capabilities.
CVE-2026-34621 represents a prototype pollution vulnerability, a class of security flaw specific to JavaScript and prototype-based programming languages. In JavaScript, virtually all objects inherit properties and methods from prototype objects, with Object.prototype serving as the base prototype for most objects. When JavaScript code allows user-controlled input to modify prototype properties without adequate validation, attackers can inject malicious properties into shared prototypes, causing these properties to propagate across all objects inheriting from the polluted prototype.
Prototype pollution enables various exploitation techniques including property injection attacks where attackers add unexpected properties to objects that should not possess them, behavior modification where existing object methods are overridden with malicious implementations, security control bypass through pollution of properties used in access control decisions, and control-flow manipulation by altering properties that govern application logic flow. In the context of Adobe Acrobat and Reader, prototype pollution within the PDF JavaScript engine allows attackers to escape the intended security sandbox and interact with privileged APIs designed exclusively for trusted code.
The vulnerability exists within Adobe’s implementation of JavaScript execution for PDF documents. PDFs can embed JavaScript code for legitimate purposes including form validation, dynamic content generation, and interactive features. However, Adobe’s JavaScript implementation must carefully sanitize all user-controlled input to prevent untrusted PDF content from accessing privileged system operations. CVE-2026-34621 represents a failure in this input validation, allowing specially crafted PDF JavaScript to pollute critical prototypes and subsequently leverage the polluted state to invoke privileged functions.
The exploitation process begins when victims open malicious PDF files containing carefully crafted JavaScript code. This JavaScript exploits insufficient input sanitization in Adobe’s PDF processing engine to pollute fundamental object prototypes. By injecting specific properties into these prototypes, attackers manipulate how the application processes subsequent operations, particularly those involving privileged API access controls.
Once prototype pollution is achieved, the exploit leverages util.readFileIntoStream(), a privileged Adobe JavaScript API function designed for internal use by trusted code. Under normal circumstances, untrusted PDF JavaScript should not be able to invoke this function due to API access controls. However, the prototype pollution vulnerability allows attackers to bypass these restrictions, gaining unauthorized access to file system read capabilities. The util.readFileIntoStream() function enables reading arbitrary files from the local system, limited only by the permissions of the user account running Adobe Acrobat or Reader.
Attackers utilize this file read capability to exfiltrate sensitive information including credential files, SSH private keys, browser saved passwords, application configuration files containing API keys or database credentials, proprietary documents, intellectual property, and system configuration information useful for privilege escalation or lateral movement. The breadth of accessible data depends on the victim user’s file system permissions and the contents of their home directory and accessible system locations.
Following data collection, the exploit utilizes RSS.addFeed(), another Adobe JavaScript API function intended for subscribing to RSS feeds for document updates. By specifying an attacker-controlled server as the RSS feed URL, the malware establishes a covert exfiltration channel. The stolen data is transmitted to the attacker server disguised as legitimate RSS feed subscription requests, potentially evading network security monitoring configured to detect obvious data exfiltration patterns.
The attacker-controlled server responds to the RSS feed request with additional malicious JavaScript code disguised as RSS feed content. Adobe’s PDF JavaScript engine processes this response, executing the attacker-provided JavaScript and enabling multi-stage attack progression. This bidirectional communication establishes a rudimentary command-and-control channel, allowing attackers to dynamically adapt their operations based on victim environment reconnaissance.
Analysis of known exploit samples suggests the vulnerability serves primarily as an initial reconnaissance and data exfiltration mechanism rather than immediate full system compromise. The exploit appears designed to profile victim environments, collecting system information, installed software, user privileges, network configuration, and security software presence. This intelligence enables attackers to make informed decisions about subsequent attack stages.
For high-value targets meeting specific criteria such as presence within targeted organizations, elevated user privileges, absence of robust endpoint security, or valuable accessible data, attackers may selectively escalate to more sophisticated attack stages including sandbox escape exploits enabling arbitrary code execution outside the PDF viewer’s security context, privilege escalation attempts leveraging system vulnerabilities identified during reconnaissance, persistent backdoor installation for long-term access, or deployment of additional malware payloads tailored to the specific victim environment.
This selective escalation approach provides operational security benefits for attackers by limiting exposure of sophisticated exploitation techniques to only valuable targets, reducing detection likelihood by avoiding mass deployment of advanced malware, and preserving zero-day exploits by not deploying them against low-value or well-monitored systems. The staged approach suggests professional threat actor operations rather than opportunistic criminal activity.
The vulnerability affects multiple Adobe product lines across two distinct update tracks. The Continuous track, which receives frequent feature updates and is the default for most consumer and enterprise deployments, includes vulnerable versions of Acrobat DC and Acrobat Reader DC up to and including version 26.001.21367. The Classic track, which receives less frequent updates focused on stability, includes vulnerable Acrobat 2024 versions up to 24.001.30356. Both Windows and macOS installations are affected across all vulnerable versions.
Adobe released emergency security patches on April 8, 2026, following confirmation of active in-the-wild exploitation. Patched versions include Acrobat DC and Acrobat Reader DC version 26.001.21411 for the Continuous track, and Acrobat 2024 version 24.001.30362 for Windows and version 24.001.30360 for macOS on the Classic 2024 track. These patches address the prototype pollution vulnerability through improved input validation and sanitization in the JavaScript processing engine.
Adobe’s initial CVSS v3.1 assessment assigned CVE-2026-34621 a score of 9.6 based on a network attack vector classification. This scoring reflected an interpretation where the vulnerability could be triggered remotely through network delivery of malicious PDF files. However, on April 12, 2026, Adobe revised the advisory, reclassifying the attack vector from Network (AV:N) to Local (AV:L), resulting in an adjusted CVSS score of 8.6.
This revision reflects a more precise interpretation of CVSS attack vector definitions. While the malicious PDF is delivered via network mechanisms (email, web download), actual exploitation requires local user interaction to open the file, meeting the CVSS definition of a local attack vector. Despite the numerical score reduction, Adobe continues to classify CVE-2026-34621 as Critical severity with Priority 1 remediation urgency, reflecting confirmed active exploitation and significant potential impact including data exfiltration, privacy violation, and potential system compromise.
Multiple indicators suggest CVE-2026-34621 was exploited as a zero-day vulnerability for several months before patch availability. The earliest known malicious sample appeared on VirusTotal on November 28, 2025, suggesting exploitation potentially began in late November or early December 2025. The exploit operated with low detection rates across major antivirus vendors, indicating sophisticated evasion techniques and limited security community awareness.
Independent researchers at EXPMON identified a malicious exploit sample on March 23, 2026, marking the first public detection and analysis of active exploitation. A second distinct exploit sample surfaced on March 26, 2026, shortly before Adobe’s April 8 emergency patch release. The discovery of a third sample on April 11, 2026, three days after patch availability, suggests multiple distinct threat actors possess working exploits, or that a single actor continues operations against unpatched systems.
The approximately four-month window between suspected initial exploitation and patch availability represents a significant zero-day exposure period during which attackers operated with minimal risk of detection or disruption. This extended exploitation window enabled potentially widespread compromise across enterprise and consumer environments, with the full scope of victimization likely remaining unknown due to the exploit’s stealthy operational characteristics.
Organizations must treat CVE-2026-34621 patching as an emergency priority given confirmed active exploitation. IT administrators should deploy Adobe’s emergency security patches without delay across all Windows and macOS endpoints running Adobe Acrobat DC, Adobe Acrobat Reader DC, or Adobe Acrobat 2024. For Acrobat DC and Reader DC on the Continuous track, systems should be updated to version 26.001.21411. For Acrobat 2024 on the Classic track, Windows systems require version 24.001.30362 while macOS systems require version 24.001.30360.
End users can initiate updates manually through the application menu by selecting Help > Check for Updates. IT administrators managing enterprise deployments should leverage centralized update distribution mechanisms including Adobe’s AIP-GPO (Adobe Installer Package – Group Policy Objects) for Windows domain environments, Microsoft SCUP/SCCM (System Center Updates Publisher / System Center Configuration Manager) for enterprise Windows patch management, Apple Remote Desktop for managed macOS environments, or SSH-based deployment tools for scripted mass distribution across macOS systems. Patch deployment should be prioritized above routine update cycles and tracked for complete coverage verification.
Email security gateways, web proxies, and endpoint protection platforms should implement enhanced scrutiny of inbound PDF attachments and downloads. Security teams should configure these systems to automatically sandbox PDF files in isolated analysis environments before delivery to end users, quarantine PDFs exhibiting suspicious characteristics including embedded JavaScript, outbound network connections, or obfuscated content, and implement temporary restrictions on automatic opening of PDF files from untrusted or external sources until organizational patching reaches completion.
Organizations should communicate clearly to users that this temporary restriction serves as a precautionary measure during emergency patching and will be lifted following verification of complete patch deployment across the environment. Security operations centers should establish expedited review procedures for quarantined legitimate business-critical PDF documents requiring immediate access.
For systems that cannot be immediately patched due to operational constraints, testing requirements, or compatibility concerns, organizations should implement interim mitigation through JavaScript disablement in Adobe applications. This configuration change significantly reduces attack surface for CVE-2026-34621 and similar JavaScript-based PDF exploits. Users can disable JavaScript by navigating to Edit > Preferences > JavaScript and unchecking “Enable Acrobat JavaScript.”
IT administrators can enforce JavaScript disablement across managed endpoints through Group Policy on Windows domains or configuration profile deployment on managed macOS systems. Security teams should document which systems operate with JavaScript disabled and prioritize these systems for expedited patching, as JavaScript disablement may impact legitimate PDF functionality including interactive forms, dynamic content, and certain document workflows.
Security awareness programs should incorporate specific training regarding PDF-based threats, particularly emphasizing that PDF files can contain active executable content including JavaScript that runs automatically upon document opening. Users should be instructed to exercise caution when opening PDF attachments from unknown senders, unexpected PDF files received via email or messaging platforms, PDFs requiring unusual permissions or prompting security warnings, and PDF files downloaded from untrusted websites or file-sharing services.
Training should encourage users to report suspicious PDF files to security operations teams rather than attempting to determine safety independently. Security teams should establish clear reporting procedures and ensure rapid response to user reports during the active exploitation period.
Organizations must integrate CVE-2026-34621 into vulnerability management workflows with highest priority classification. Security teams should maintain comprehensive inventory of all Adobe Acrobat and Reader installations including version numbers, update track assignments (Continuous vs. Classic), platform designations (Windows vs. macOS), and deployment locations. This inventory enables targeted patch verification and identification of any systems inadvertently missed during initial deployment.
Security teams should monitor for potential addition of CVE-2026-34621 to CISA’s Known Exploited Vulnerabilities catalog. If added, federal civilian executive branch agencies face binding remediation deadlines, and all organizations should interpret KEV catalog inclusion as additional signal to prioritize comprehensive remediation verification.
T1566: Phishing
T1203: Exploitation for Client Execution
T1059: Command and Scripting Interpreter
T1083: File and Directory Discovery
T1005: Data from Local System
T1041: Exfiltration Over C2 Channel
T1588: Obtain Capabilities
https://helpx.adobe.com/security/products/acrobat/apsb26-43.html
https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html
Get through updates and upcoming events, and more directly in your inbox