Adobe PDF Zero-Day Exploited by Hackers for Months Before Patch

A critical zero-day vulnerability in Adobe's ubiquitous PDF software was actively exploited by hackers for months before the company issued a fix. The campaign, which targeted victims since at least November 2025, leveraged a previously unknown security flaw, allowing attackers to compromise systems through malicious PDF files. The extended period of exploitation before detection and patching highlights a significant window of risk for users who may have unknowingly opened weaponized documents.

The exact scale of the compromise remains unclear, with Adobe and security researchers unable to determine how many systems were affected. The exploitation of a zero-day—a flaw unknown to the vendor—suggests a sophisticated and targeted operation, though the specific motives and victims have not been disclosed. This incident underscores the persistent threat posed by document-based attacks, which remain a favored vector for breaching corporate and personal systems.

The belated patch places pressure on Adobe's security response protocols and raises urgent questions for organizations reliant on its software. Companies and individual users are now compelled to verify that their Adobe applications are fully updated to the latest secure version. The episode serves as a stark reminder of the hidden vulnerabilities in foundational software and the critical importance of prompt vulnerability disclosure and patch management in an era of sustained digital conflict.