CVE-2026-34621: Adobe Acrobat Reader Zero-Day Exploited via Prototype Pollution

On March 26, 2026, a PDF file named yummy_adobe_exploit_uwu.pdf was submitted to EXPMON, a public platform for detecting advanced file-based exploits. Security researcher Haifei Li analyzed the sample and found that it triggered an unknown vulnerability in Adobe Acrobat Reader. The file fingerprinted the underlying system and silently relayed information to a command-and-control server. A nearly identical sample had already been submitted to the service in November 2025, placing the earliest likely exploitation window at December 2025 — more than four months before Adobe issued a fix.

Adobe published emergency bulletin APSB26-43 on April 11, 2026, assigning it Priority 1 — the highest urgency rating. Two days later, CISA added CVE-2026-34621 to its Known Exploited Vulnerabilities catalog with a federal remediation deadline of April 27. The vulnerability carries a CVSS base score of 8.6 after Adobe revised the attack vector from Network to Local following closer analysis. The original score was 9.6.

Adobe Acrobat Reader has long supported JavaScript execution inside PDF documents. This design enables dynamic forms, digital signatures, and interactive workflows — but it also exposes a runtime JavaScript engine to attacker-controlled input. CVE-2026-34621 exploits a class of vulnerability known as prototype pollution.

In JavaScript, every object inherits properties through a prototype chain that ultimately reaches Object.prototype. Prototype pollution occurs when an attacker can inject or overwrite properties at that root level. Once Object.prototype is modified, those injected properties appear as if they belong to every object in the application. Functions that check whether a property exists, route logic based on property values, or pass configuration to lower-level operations can then be redirected. In Acrobat's JavaScript engine, this mechanism can be abused to influence control flow in a way that leads to execution of attacker-controlled code in the context of the logged-in user. The user does not need to perform any action beyond opening the PDF.

The malicious PDFs analyzed by researchers contained text in Russian related to gas supply disruption and emergency response — phrasing designed to appear relevant to government, energy, or infrastructure personnel who would open such a document without suspicion. Once opened, the exploit executes JavaScript that enumerates system properties and sends the results to attacker-controlled infrastructure. Researchers identified two C2 endpoints: 169.40.2.68 and 188.214.34.20. The exploit also attempts to retrieve and execute a follow-on payload from the C2 server, although this second stage was not successfully triggered during analysis.

This staged architecture — reconnaissance first, payload delivery second — is consistent with targeted intrusion campaigns where the attacker wants to validate the victim environment before committing further tooling. The four-month gap between initial exploitation and public disclosure means that compromises established during this window would have had substantial dwell time. Affected organizations may find forensic traces dating back to late 2025 without any prior alert having fired.

CVE-2026-34621 affects Adobe Acrobat DC and Acrobat Reader DC up to and including version 26.001.21367, and Adobe Acrobat 2024 up to and including version 24.001.30356, on both Windows and macOS. The fixed versions are: Acrobat DC / Reader DC 26.001.21411 (Windows and macOS), Acrobat 2024 24.001.30362 (Windows), and Acrobat 2024 24.001.30360 (macOS).

Priority 1 in Adobe's severity system means the company believes exploitation is imminent or already observed in active campaigns against specific product versions. IT teams should treat this as a forced upgrade with no grace period. In environments where Acrobat is deployed via endpoint management tooling, the update should be pushed as an emergency change. Where auto-update is enabled, confirm that endpoints have actually received the update — auto-update failures in enterprise proxy environments are a common point of silent patching gaps. As a temporary measure while patching is underway, network teams can block outbound connections to the two known C2 addresses.

CVE-2026-34621 illustrates a recurring pattern in enterprise vulnerability management: widely deployed productivity software accumulates risk because it is perceived as lower-priority than server infrastructure. Adobe Acrobat is installed on nearly every workstation in finance, legal, HR, and administrative functions across the DACH region. The assumption that document viewers carry less risk than network appliances is regularly disproved by the attacker community. Prototype pollution via PDF-embedded JavaScript is precisely the kind of attack path that shows up in endpoint telemetry rather than network scanning, and only if EDR is properly configured to log JavaScript process behavior.

For organizations subject to NIS2, this event maps directly to the patch management obligations in Article 21: identify affected assets, assess exposure, and remediate within a risk-appropriate timeframe. A four-month undetected exploitation window is exactly the scenario that informed risk assessments are meant to prevent through continuous asset visibility and patch status monitoring. Attack surface management tools that track software versions across endpoints, combined with feed monitoring for KEV additions, can reduce the gap between public disclosure and verified remediation to hours rather than weeks. The tinte.io platform surfaces exposure of this kind as part of continuous vulnerability assessment — if your Acrobat versions are visible externally or your endpoints report into an inventory system, the patch gap can be closed before the next analyst notices a suspicious PDF submission.