A cybersecurity researcher has uncovered a dangerous zero-day vulnerability in Adobe Reader that could allow attackers to steal sensitive local files and potentially take full control of a victim’s system—all by convincing users to open a malicious PDF.
The flaw was discovered by researcher Haifei Li using his exploit detection platform EXPMON. Despite being reported to Adobe, no security patch has been released yet, leaving users of the latest Adobe Reader versions at risk. While there is no confirmed evidence of active exploitation, the vulnerability has the capability to collect and leak critical information, raising serious concerns across the cybersecurity community.
According to Li, the zero-day campaign may have been active for at least four months, potentially dating back to December 2025. The attack relies on a specially crafted PDF file embedded with heavily obfuscated JavaScript. In testing, the malicious file—named “yummy_adobe_exploit_uwu.pdf”—was able to execute code within Adobe Reader and exploit a logic flaw in its JavaScript engine.
This exploit bypasses built-in security restrictions and gains access to privileged Acrobat APIs, including the powerful “util.readFileIntoStream()” function. This enables attackers to read arbitrary files from a victim’s system, including sensitive Windows directories, and exfiltrate that data to a remote server.
Additionally, the PDF establishes communication with a command-and-control (C2) server using the “RSS-addFeed()” API. This covert channel allows attackers to both extract data and potentially deliver additional malicious payloads. Although no second-stage payload was observed during testing, any code sent from the server could be executed within Adobe Reader, significantly increasing the threat level.
Security experts are urging users and organizations to remain vigilant, avoid opening suspicious PDF files, and monitor for updates from Adobe as the situation develops.