Adobe Acrobat Zero-Day CVE-2026-34621: Patch Your PDF Readers Now

Adobe has patched a critical zero-day vulnerability in Acrobat and Reader that attackers have been exploiting since at least November 2025. CVE-2026-34621 carries a CVSS score of 8.6, requires nothing more than opening a malicious PDF to trigger, and gives attackers the ability to execute arbitrary code on the victim’s machine. If your business uses Adobe Acrobat or Reader, confirm your versions are patched today.

What CVE-2026-34621 Does

The vulnerability exploits a prototype pollution flaw in Adobe Acrobat’s JavaScript engine. When a user opens a specially crafted PDF, the exploit modifies internal object prototypes to hijack program execution. From there, the attacker can run arbitrary code on the victim’s system silently, without any additional clicks, prompts, or permissions beyond opening the file itself.

There is no warning dialog. No “enable macros” prompt. No suspicious behavior the user would notice. The PDF can look like any normal business document: an invoice, a contract draft, a compliance report. The malicious payload executes the moment Acrobat renders the file.

According to Malwarebytes, researchers have observed malicious PDFs disguised as routine business correspondence distributed through targeted email campaigns. The attackers are not blasting these out indiscriminately. They are sending them to specific companies in industries where PDF attachments are a normal part of daily operations: legal, financial services, healthcare, and professional services.

Attackers Had a Five-Month Head Start

The timeline on this vulnerability is what makes it especially dangerous. Security researchers have traced active exploitation back to November 2025, which means attackers had roughly five months of unrestricted access to this exploit before Adobe released a patch in April 2026.

During that window, every business running an affected version of Adobe Acrobat was vulnerable. Every PDF opened from an untrusted source was a potential compromise vector. Organizations without strong endpoint detection and response may have been breached during that period without knowing it.

CISA added CVE-2026-34621 to its Known Exploited Vulnerabilities (KEV) catalog on April 13, 2026, with a federal remediation deadline of April 27. That deadline has already passed. Any organization still running unpatched versions is exposed to a known, actively exploited threat with public documentation that lowers the bar for additional attackers.

The five-month exploitation window also means that patching alone may not be sufficient. If your environment was compromised before the patch was available, the attacker may already have persistent access through other means. Patching closes the front door, but it does not evict someone who is already inside.

How to Check Your Version and Patch

The following versions are affected and require immediate patching:

• Adobe Acrobat DC / Reader DC version 26.001.21367 and earlier
• Adobe Acrobat 2024 / Reader 2024 version 24.001.30356 and earlier

Update to these patched versions:

• Acrobat DC / Reader DC: 26.001.21411 or later
• Acrobat 2024 / Reader 2024: 24.001.30362 (Windows) or 24.001.30360 (macOS) or later

For Individual Users

1. Open Adobe Acrobat or Reader
2. Click Help > About Adobe Acrobat (Windows) or Acrobat > About Adobe Acrobat (macOS)
3. Compare the version number against the affected versions listed above
4. If you are running an affected version, click Help > Check for Updates and install the available patch
5. Restart the application after the update completes

For IT Administrators

1. Inventory your Adobe installations. Use your endpoint management tool (Intune, SCCM, ConnectWise, or similar) to query installed software versions across all endpoints. Identify every machine running an affected version.
2. Deploy the patch through your management platform. Adobe provides enterprise update packages through the Adobe Admin Console for Creative Cloud deployments. For perpetual licenses, download the patch from Adobe’s enterprise distribution site.
3. Verify installation. After deployment, run a follow-up query to confirm the patched version is installed on all targeted endpoints. Do not assume the deployment succeeded because it was scheduled.
4. Scan for compromise indicators. Given the five-month exploitation window, review endpoints that frequently handle PDF files. Look for unusual outbound connections, unexpected processes spawned by Acrobat, and recently created files in temp directories that coincide with PDF opening events.

If your organization lacks automated patch management, this vulnerability is a clear example of why one is necessary. Manual patching across an entire office consistently leaves gaps that attackers exploit.

Protecting Your Environment Beyond the Patch

PDF-based attacks remain effective because PDFs are inherently trusted. Every business sends and receives them daily. Invoices, contracts, compliance reports, and legal filings all arrive as PDF attachments, and employees are conditioned to open them without hesitation. Unlike executable files or Office macros, which email security tools flag more aggressively, PDFs often pass through filters with less scrutiny.

Patching Acrobat addresses this specific vulnerability, but it does not address the broader risk. These additional controls reduce exposure to the next PDF-based exploit, not just this one:

• Email filtering with attachment sandboxing. Configure your email security platform to detonate PDF attachments in a sandbox before delivering them to users. This catches malicious PDFs even when the specific exploit is unknown. Tools like Proofpoint and Mimecast support this capability.
• Endpoint detection and response (EDR). A properly configured EDR solution can detect and block post-exploitation behavior that follows a successful PDF exploit, including code execution from a PDF reader process, credential access, or lateral movement across your network.
• Disable JavaScript in Acrobat. Most business users do not need JavaScript enabled in their PDF reader. In Acrobat, go to Edit > Preferences > JavaScript and uncheck Enable Acrobat JavaScript. This single setting would have neutralized CVE-2026-34621 entirely, since the exploit depends on JavaScript execution.
• User awareness. Remind your team to verify unexpected PDF attachments through a separate communication channel before opening them, particularly invoices or legal documents from unfamiliar senders.

What to Do This Week

This vulnerability follows the same pattern we have seen with the FortiClient EMS zero-day and the April Patch Tuesday SharePoint flaw: a critical flaw is disclosed, a patch is released, and organizations that lack systematic patching get compromised in the gap between the two. Businesses with managed security and automated patching respond to these disclosures within hours. Those without dedicated security operations often take weeks or months.

Here is a checklist your IT team should work through immediately:

1. Verify your Adobe Acrobat/Reader version on every company endpoint
2. Deploy the April 2026 patch to all affected machines
3. Disable JavaScript in Acrobat as a defense-in-depth measure
4. Review recent email logs for PDF attachments from unfamiliar senders
5. Run endpoint scans on machines that handle high volumes of external PDFs, particularly those used before the patch was available

If you need help deploying the patch across your environment or investigating whether your systems were compromised during the five-month exploitation window, contact our team at 800-985-1365.