A researcher has come across what appears to be an actively exploited Adobe Reader zero-day vulnerability.
Haifei Li is asking the cybersecurity community for assistance in investigating what he describes as a sophisticated PDF exploit.
Li is a reputable researcher who over the past two decades has worked at Fortinet, Microsoft, McAfee, and Check Point. He is the founder and developer of Expmon, a sandbox-based system designed to detect file-based zero-days and other exploits.
The new Reader exploit was detected by Expmon, and an analysis showed that the identified PDF “acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits”.
The researcher believes the PDF exploits a zero-day vulnerability as the attack has been confirmed to work against the latest version of Adobe Reader.
While Li has confirmed that the identified exploit collects user and other data from the compromised system, he was unable to reproduce the complete attack chain and obtain additional payloads that may be used for a sandbox escape or remote code execution.
SecurityWeek has reached out to Adobe, but it may take some time for the company to share information on its assessment considering that it only received the details of the exploit on or around April 7.
Exploits targeting the potential zero-day have been submitted to both Expmon and VirusTotal. One sample identified on VirusTotal was submitted in November 2025, which indicates that the vulnerability has been exploited for at least 4 months.
One threat intelligence analyst who reviewed the exploits noted that the malicious PDFs contained Russian-language lures and referenced current events in Russia’s oil and gas sector.
Adobe has credited Li with reporting several Reader and Acrobat vulnerabilities in recent years, including critical code-execution flaws.
However, in the case of a Reader vulnerability discovered in 2024 and tracked as CVE-2024-41869, Adobe has not confirmed in-the-wild exploitation after Li reported coming across a PDF that apparently attempted to weaponize the bug.
Related: Adobe Patches 80 Vulnerabilities Across Eight Products
Related: Patch Tuesday: Adobe Fixes 44 Vulnerabilities in Creative Apps
Related: TrueConf Zero-Day Exploited in Asian Government Attacks
Related: Fortinet Rushes Emergency Fixes for Exploited Zero-Day
