Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

Threat actors are actively exploiting a previously unknown zero-day vulnerability within Adobe Reader via maliciously crafted PDF documents. This campaign has been ongoing since at least December 2025, with initial artifacts like Invoice540.pdf appearing on VirusTotal in late November 2025. Security researcher Haifei Li from EXPMON identified the activity, describing the mechanism as a highly sophisticated PDF exploit. The vulnerability allows attackers to potentially execute arbitrary code upon opening infected documents, posing a critical risk to users relying on Adobe Reader for document processing. While specific attribution remains unclear, the exploitation technique indicates advanced capabilities. Organizations should immediately update Adobe Reader to the latest version, disable JavaScript within PDF readers, and implement email filtering solutions to block suspicious attachments. Users are advised to exercise caution when opening unsolicited PDF files from untrusted sources to mitigate the risk of compromise associated with this zero-day exploit campaign.

Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025. The finding, detailed by EXPMON's Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact ("Invoice540.pdf") first appeared on the VirusTotal platform on November 28, 2025. A second

Threat actors are actively exploiting a previously unknown zero-day vulnerability within Adobe Reader via maliciously crafted PDF documents. This campaign has been ongoing since at least December 2025, with initial artifacts like Invoice540.pdf appearing on VirusTotal in late November 2025. Security researcher Haifei Li from EXPMON identified the activity, describing the mechanism as a highly sophisticated PDF exploit. The vulnerability allows attackers to potentially execute arbitrary code upon opening infected documents, posing a critical risk to users relying on Adobe Reader for document processing. While specific attribution remains unclear, the exploitation technique indicates advanced capabilities. Organizations should immediately update Adobe Reader to the latest version, disable JavaScript within PDF readers, and implement email filtering solutions to block suspicious attachments. Users are advised to exercise caution when opening unsolicited PDF files from untrusted sources to mitigate the risk of compromise associated with this zero-day exploit campaign. Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025. The finding, detailed by EXPMON's Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact ("Invoice540.pdf") first appeared on the VirusTotal platform on November 28, 2025. A second Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025. The finding, detailed by EXPMON's Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact ("Invoice540.pdf") first appeared on the VirusTotal platform on November 28, 2025. A second