Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

A sophisticated zero-day vulnerability in Adobe Reader has been actively exploited since December 2025 via maliciously crafted PDF documents. Security researcher Haifei Li from EXPMON discovered the exploit, which represents a highly sophisticated PDF attack vector. The malicious artifact, identified as 'Invoice540.pdf', was first uploaded to VirusTotal on November 28, 2025, suggesting the attack campaign may have predated the public disclosure. Organizations using Adobe Reader should immediately apply available patches, exercise caution with unsolicited PDF attachments, and implement advanced email filtering to mitigate risks of client-side exploitation.

Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025. The finding, detailed by EXPMON's Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact ("Invoice540.pdf") first appeared on the VirusTotal platform on November 28, 2025. A second

A sophisticated zero-day vulnerability in Adobe Reader has been actively exploited since December 2025 via maliciously crafted PDF documents. Security researcher Haifei Li from EXPMON discovered the exploit, which represents a highly sophisticated PDF attack vector. The malicious artifact, identified as 'Invoice540.pdf', was first uploaded to VirusTotal on November 28, 2025, suggesting the attack campaign may have predated the public disclosure. Organizations using Adobe Reader should immediately apply available patches, exercise caution with unsolicited PDF attachments, and implement advanced email filtering to mitigate risks of client-side exploitation. Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025. The finding, detailed by EXPMON's Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact ("Invoice540.pdf") first appeared on the VirusTotal platform on November 28, 2025. A second Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025. The finding, detailed by EXPMON's Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact ("Invoice540.pdf") first appeared on the VirusTotal platform on November 28, 2025. A second