A cybersecurity researcher is warning of a zero-day vulnerability in Adobe Reader that allows attackers to steal local files and potentially take full control of a victim’s system – simply by getting them to open a PDF.
The flaw, discovered by vulnerability researcher Haifei Li through his own exploit detection platform EXPMON, affects the latest version of Adobe Reader.
Li – who has held positions as a security researcher at McAfee, Microsoft and Fortinet before launching his own platform – said that the vulnerability has been reported to Adobe, but at the time of writing, no patch has been released.
While there is no confirmed evidence of exploitation, the researcher warns the zero-day has “the capability to collect and leak various types of information” and could enable more advanced attacks, urging the security community to remain vigilant.
In an update posted yesterday, Li warned that this zero-day campaign has been going for at least four months – suggesting that it’s been active since December 2025.
‘Yummy Adobe exploit’
According to the research, the attack uses a specially-crafted PDF containing heavily obscured JavaScript – initially submitted to malware analysis platforms under the file name “yummy_adobe_exploit_uwu.pdf”.
Once the document is opened, the code executes within Adobe Reader and exploits a previously unknown logic flaw in its Javascript engine.
This allows the malicious script to bypass restrictions and access privileged Acrobat APIs that are normally blocked.
It uses one of these APIs, "util.readFileIntoStream()," which allows the PDF to read arbitrary files from the victim’s system.
The researcher demonstrates how the exploit could extract files from sensitive locations, including Windows systems directories, and then send them to an attacker-controlled server.
The PDF also establishes communication with a remote command-and-control server using the “RSS-addFeed()” APl. This channel enables data exfiltration and delivery of additional payloads.
While the researcher did not receive a second-stage payload during testing, he confirmed that any code returned by the server would execute within Adobe Reader.
Highly selective campaign
The exploit appears selective, gathering detailed information, including operation system version, language settings, and Reader version, suggesting attackers may be using fingerprinting to decide whether to run further payloads – an approach often seen in targeted campaigns.
Has your password leaked?
While the report focuses on the technical analysis of the exploit, it does not set out the delivery method. It is still unclear how victims might be targeted or how the malicious PDFs are being distributed.
The sample was first identified in March 2026 after being uploaded by an unknown user to EXPMON’s public analysis platform, where it triggered advanced detection mechanisms.
Li added that it was also found by the security tool VirusTotal, which gave it a very low (5/64) detection rate, indicating that it may have been circulating undetected.
According to Li, the vulnerability has been responsibly disclosed to Adobe. He added in an update yesterday that a second variant has since been identified, suggesting ongoing development or testing of the exploit.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked