Adobe Reader Zero-Day Exploited for Months: Researcher

Summary

Security researcher Haifei Li has identified an actively exploited Adobe Reader zero-day vulnerability through his Expmon sandbox system, with evidence of exploitation dating back at least four months (November 2025). The malicious PDF exploit acts as an initial vector capable of collecting system data and potentially delivering remote code execution and sandbox escape payloads, with Russian-language lures suggesting targeting of Russia-related entities. Adobe was notified on April 7 and is assessing the vulnerability, though Li was unable to fully reproduce the complete attack chain or obtain secondary payloads.

Full text

A researcher has come across what appears to be an actively exploited Adobe Reader zero-day vulnerability. Haifei Li is asking the cybersecurity community for assistance in investigating what he describes as a sophisticated PDF exploit. Li is a reputable researcher who over the past two decades has worked at Fortinet, Microsoft, McAfee, and Check Point. He is the founder and developer of Expmon, a sandbox-based system designed to detect file-based zero-days and other exploits. The new Reader exploit was detected by Expmon, and an analysis showed that the identified PDF “acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits”. The researcher believes the PDF exploits a zero-day vulnerability as the attack has been confirmed to work against the latest version of Adobe Reader. While Li has confirmed that the identified exploit collects user and other data from the compromised system, he was unable to reproduce the complete attack chain and obtain additional payloads that may be used for a sandbox escape or remote code execution. Advertisement. Scroll to continue reading. SecurityWeek has reached out to Adobe, but it may take some time for the company to share information on its assessment considering that it only received the details of the exploit on or around April 7. Exploits targeting the potential zero-day have been submitted to both Expmon and VirusTotal. One sample identified on VirusTotal was submitted in November 2025, which indicates that the vulnerability has been exploited for at least 4 months. One threat intelligence analyst who reviewed the exploits noted that the malicious PDFs contained Russian-language lures and referenced current events in Russia’s oil and gas sector. Adobe has credited Li with reporting several Reader and Acrobat vulnerabilities in recent years, including critical code-execution flaws. However, in the case of a Reader vulnerability discovered in 2024 and tracked as CVE-2024-41869, Adobe has not confirmed in-the-wild exploitation after Li reported coming across a PDF that apparently attempted to weaponize the bug. Related: Adobe Patches 80 Vulnerabilities Across Eight Products Related: Patch Tuesday: Adobe Fixes 44 Vulnerabilities in Creative Apps Related: TrueConf Zero-Day Exploited in Asian Government Attacks Related: Fortinet Rushes Emergency Fixes for Exploited Zero-Day Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingSevere StrongBox Vulnerability Patched in AndroidGPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack White House Seeks to Slash CISA Funding by $707 MillionWynn Resorts Says 21,000 Employees Affected by ShinyHunters HackT-Mobile Sets the Record Straight on Latest Data Breach FilingApple Rolls Out DarkSword Exploit Protection to More DevicesCybersecurity M&A Roundup: 38 Deals Announced in March 2026 Latest News Google Warns of New Campaign Targeting BPOs to Steal Corporate Data300,000 People Impacted by Eurail Data Breach$3.6 Million Stolen in Bitcoin Depot HackShaky Ceasefire Unlikely to Stop Cyberattacks From Iran-Linked Hackers for LongData Leakage Vulnerability Patched in OpenSSLRCE Bug Lurked in Apache ActiveMQ Classic for 13 YearsFBI: Cybercrime Losses Neared $21 Billion in 2025Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MovePamela McLeod has been named as CISO of the state of New Hampshire.Aspen Digital has named Matt Altomare as its new Senior Director for Cybersecurity Programs.Scott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.More People On The MoveExpert Insights The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2024-41869
• malware — Adobe Reader zero-day exploit (unpatched)

Entities