Adobe has released an emergency patch for a critical zero-day vulnerability in Acrobat Reader that has been actively exploited in the wild since late 2025. If your team uses Adobe Acrobat or Reader — and most offices do — you need to update immediately.

The flaw, tracked as CVE-2026-34621 (CVSS 8.6), is a prototype pollution vulnerability in Acrobat Reader’s JavaScript engine. An attacker can craft a malicious PDF that, when opened, executes arbitrary code on the victim’s machine. The exploit fingerprints the target system and phones home to attacker-controlled servers. Security researcher Haifei Li flagged the exploit after malicious PDF samples were submitted to the public threat detection platform EXPMON.

What to do right now: Update all instances of Adobe Acrobat and Reader to the latest versions — Acrobat DC/Reader DC v26.001.21411 (Windows and macOS) or Acrobat 2024 v24.001.30362 (Windows) / v24.001.30360 (macOS). Remind your team not to open unexpected PDF attachments, even from seemingly known senders. If you use a managed IT service, confirm with your provider that the patch has been deployed across your fleet.

This is also a good time to review your email filtering rules. Malicious PDFs remain one of the most common delivery mechanisms for targeted attacks on Australian businesses. If your current setup is not scanning inbound attachments, talk to your IT provider about strengthening your defences.