Adobe Reader Zero-Day Exploit: Active Since December 2025 via Malicious PDFs

A previously unknown zero-day vulnerability in Adobe Reader has been under active exploitation for months, with attackers using maliciously crafted PDFs to target users. The sophisticated exploit, documented by researcher Haifei Li of EXPMON, has been in the wild since at least December 2025, with the first malicious artifact appearing on VirusTotal as early as November 28, 2025. This represents a critical, unpatched threat to one of the world's most ubiquitous document viewers.

The campaign's longevity and the high sophistication of the exploit chain signal a well-resourced and persistent threat actor. The use of PDFs as the attack vector is particularly dangerous due to the file format's universal trust and daily use in business and personal communications globally. The fact that the vulnerability remained undisclosed and unpatched for over four months while being actively weaponized raises severe questions about detection capabilities and the software's security posture.

This ongoing exploit places immense pressure on organizations and individual users who rely on Adobe Reader, forcing a critical reassessment of document security practices. It also highlights the expanding window of risk for zero-day vulnerabilities, where advanced threats can operate undetected for extended periods before public disclosure. The incident prompts urgent scrutiny of software supply chain security and the effectiveness of current threat-hunting methodologies against stealthy, long-running campaigns.