Zero-Day Exploit in Adobe Reader Targets Russian Oil and Gas Sector
Security researchers have uncovered an active zero-day vulnerability in Adobe Reader, exploited by hackers since at least November 2025. The flaw, discovered by Haifei Li founder of the sandbox-based exploit detection system EXPMON allows attackers to compromise systems without user interaction when a malicious PDF is opened.
The attack leverages a specially crafted file, such as the identified Invoice540.pdf, which executes obfuscated JavaScript code upon opening. This code abuses two built-in Adobe Reader APIs util.readFileIntoStream and RSS.addFeed to exfiltrate data to a remote server (169.40.2.68). The exploit also enables further malicious actions, including remote code execution (RCE) and sandbox escape (SBX), potentially granting full system control.
Analysis by security researcher Giuseppe Massaro (Gi7w0rm) revealed that the malicious PDFs contain Russian-language content, using lures related to the oil and gas industry to appear legitimate. This suggests targeted attacks against entities in that sector.
Adobe was notified of the flaw on April 7, 2026, but no patch has been released. The vulnerability follows a similar unpatched flaw (CVE-2024-41869) reported by Li in 2024, though Adobe did not confirm its exploitation at the time. Until a fix is issued, organizations are advised to exercise caution with unsolicited PDFs and monitor network traffic for Adobe Synchronizer-related communications.
Source: https://hackread.com/adobe-reader-zero-day-exploit-data-malicious-pdfs/
Adobe cybersecurity rating report: https://www.rankiteo.com/company/adobe
"id": "ADO1775759555",
"linkid": "adobe",
"type": "Vulnerability",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Oil and Gas',
'location': 'Russia',
'type': 'Organization'}],
'attack_vector': 'Malicious PDF (Invoice540.pdf)',
'data_breach': {'data_exfiltration': 'Yes', 'file_types_exposed': ['PDF']},
'date_detected': '2025-11-01',
'date_publicly_disclosed': '2026-04-07',
'description': 'Security researchers uncovered an active zero-day '
'vulnerability in Adobe Reader, exploited by hackers since at '
'least November 2025. The flaw allows attackers to compromise '
'systems without user interaction when a malicious PDF is '
'opened. The attack leverages a specially crafted file (e.g., '
'Invoice540.pdf) executing obfuscated JavaScript code to '
'exfiltrate data to a remote server (169.40.2.68). The exploit '
'enables remote code execution (RCE) and sandbox escape (SBX), '
'granting full system control. The malicious PDFs contain '
'Russian-language content related to the oil and gas industry, '
'suggesting targeted attacks against entities in that sector.',
'impact': {'data_compromised': 'Data exfiltration to remote server '
'(169.40.2.68)',
'operational_impact': 'Potential full system control via RCE and '
'SBX',
'systems_affected': 'Systems running Adobe Reader opening '
'malicious PDFs'},
'initial_access_broker': {'entry_point': 'Malicious PDF (Invoice540.pdf)',
'high_value_targets': 'Russian oil and gas sector'},
'investigation_status': 'Ongoing',
'motivation': 'Targeted attacks against Russian oil and gas sector',
'post_incident_analysis': {'root_causes': 'Unpatched Adobe Reader zero-day '
'vulnerability'},
'recommendations': 'Exercise caution with unsolicited PDFs and monitor '
'network traffic for Adobe Synchronizer-related '
'communications until a patch is released.',
'references': [{'source': 'Haifei Li (EXPMON)'},
{'source': 'Giuseppe Massaro (Gi7w0rm)'}],
'response': {'containment_measures': 'Exercise caution with unsolicited PDFs, '
'monitor network traffic for Adobe '
'Synchronizer-related communications',
'enhanced_monitoring': 'Monitor network traffic for Adobe '
'Synchronizer-related communications'},
'title': 'Zero-Day Exploit in Adobe Reader Targets Russian Oil and Gas Sector',
'type': 'Zero-Day Exploit',
'vulnerability_exploited': 'Unpatched Adobe Reader zero-day vulnerability'}