Active Zero-Day in Adobe Reader Steals Files by Abusing Privileged APIs

Executive Summary

Security researchers have discovered an unpatched zero-day vulnerability in Adobe Acrobat and Reader that is under active exploitation in the wild. The campaign, observed since at least December 2025, uses malicious PDF files to trigger the flaw. The vulnerability is a logic bug, not a memory-corruption issue, that allows sandboxed JavaScript within a PDF to call privileged APIs. This enables an attacker to read arbitrary files from the victim's local file system and exfiltrate them to a remote server. The attack requires no user interaction beyond opening the malicious PDF. Evidence suggests the campaign is targeted, using lures related to the oil and gas industry. Adobe has not yet released a patch, leaving users vulnerable.

Vulnerability Details

• CVE ID: None assigned at time of writing.
• Affected Product: Adobe Acrobat and Reader (latest versions).
• Vulnerability Type: Logic Bug / Sandbox Escape via Privileged API Abuse.
• Impact: Arbitrary File Read and Data Exfiltration.

This is not a typical memory corruption vulnerability. Instead, it's a flaw in the application's logic that fails to properly restrict access to powerful, privileged JavaScript APIs from within the sandboxed environment. The exploit specifically abuses the util.readFileIntoStream API to read local files and the RSS.addFeed API to communicate with the command-and-control (C2) server for data exfiltration and to retrieve additional payloads.

Exploitation Status

The vulnerability is actively exploited. The campaign was discovered after a weaponized PDF named yummy_adobe_exploit_uwu.pdf was uploaded to the public malware analysis service EXPMON. The JavaScript inside the PDF is heavily obfuscated. When a victim opens the file, the script executes, performing the following actions:

1. Fingerprinting: Collects victim system information, including OS version, language, and Adobe Reader version.
2. File Theft: Uses the util.readFileIntoStream API to read local files (e.g., from the system32 folder).
3. Data Exfiltration: Sends the stolen files to an attacker-controlled C2 server.
4. Secondary Payload: Uses the RSS.addFeed API to connect to the C2 and download an additional AES-encrypted JavaScript payload for further actions.

Forensic analysis revealed Russian-language decoy content related to the oil and gas sector, strongly suggesting these are targeted attacks against specific individuals or organizations rather than a widespread, opportunistic campaign.

Impact Assessment

The primary impact is data theft. An attacker can use this vulnerability to steal sensitive documents, configuration files, credentials, or any other file on the victim's machine that the user has permission to read. In a targeted attack against a corporate executive in the oil and gas industry, this could lead to the theft of:

• Proprietary technical documents and trade secrets.
• Internal financial reports.
• Sensitive emails and communications.
• Credentials stored in configuration files or browser databases.

This type of targeted intelligence gathering can have severe economic and strategic consequences for the victim organization.

Cyber Observables for Detection

Detection & Response

Detecting this exploit requires monitoring application behavior and network traffic.

1. Endpoint Detection and Response (EDR): An EDR solution can detect the anomalous behavior of the Adobe Reader process (AcroRd32.exe). Specifically, look for the process making outbound network connections or attempting to read files outside of its expected directories.
2. Network Security Monitoring: Monitor firewall and proxy logs for any network connections initiated by AcroRd32.exe. Block any such connections to untrusted or unknown destinations.
3. Email Security: Use email security gateways to scan and block incoming PDF attachments, especially those from unknown senders or with suspicious naming conventions. Since this is a zero-day, signature-based AV on the gateway may not be effective, but sandboxing and content disarm and reconstruction (CDR) technologies might be.

D3FEND Reference: Key detection strategies include D3-PA - Process Analysis to observe AcroRd32.exe's file access and network activity, and D3-OTF - Outbound Traffic Filtering to block the exfiltration channel.

Mitigation

Until Adobe releases a patch, users are reliant on compensating controls.

1. Disable JavaScript in Adobe Reader: The most effective immediate mitigation is to disable JavaScript execution in Adobe Reader's preferences. This will break the exploit chain, but may also cause legitimate PDFs with interactive features to fail. This is a powerful hardening step under M1054 - Software Configuration.
2. User Awareness: Train users to be extremely cautious about opening unsolicited PDF attachments, even if they appear to come from a trusted source. Verify the sender and the legitimacy of the document through a separate communication channel.
3. Use Alternative PDF Readers: Consider using alternative PDF viewers that may not be targeted by this specific exploit. However, this is a temporary measure as any complex software can have vulnerabilities.
4. Patch Immediately When Available: Monitor Adobe's security bulletins and apply the patch as soon as it is released.

D3FEND Reference: Disabling JavaScript is a form of D3-ACH - Application Configuration Hardening. This is the most effective proactive defense until a patch is available.