Adobe Reader Zero-Day Exploited Since December, Data Theft Confirmed

According to Cyber Threat Intelligence, threat actors have been actively exploiting a zero-day vulnerability in Adobe Reader since at least December. Security researcher Haifei Li, founder of EXPMON, identified a sophisticated PDF exploit that targets an undisclosed flaw in Adobe Reader. This attack doesn’t require user interaction beyond opening a malicious PDF, making it particularly insidious. Cyber Threat Intelligence notes that the exploit has been in the wild for at least four months, focusing on data exfiltration using specific Acrobat APIs like util.readFileIntoStream and RSS.addFeed.

Further analysis by threat intelligence analyst Gi7w0rm, as reported by Cyber Threat Intelligence, revealed that the phishing lures used in these PDF documents are in Russian and reference current events within the Russian oil and gas sector. This suggests a targeted campaign with potentially nation-state backing or a highly specialized criminal group. Li has confirmed that the vulnerability is unpatched even on the latest versions of Adobe Reader and warned that beyond data theft, the exploit could pave the way for Remote Code Execution (RCE) or Sandbox Escape (SBX) attacks, leading to complete system compromise.

Haifei Li, known for discovering numerous zero-day vulnerabilities in major software, has already alerted Adobe to this critical issue. Until patches are released, users are strongly advised by Li and highlighted by Cyber Threat Intelligence to exercise extreme caution when opening PDF documents from unknown or untrusted sources, especially those seemingly related to sensitive industries.