Adobe Reader zero-day exploited since December via weaponized PDFs

EXPMON founder Haifei Li disclosed an unpatched Adobe Reader vulnerability that attackers have been exploiting in the wild since at least December. The exploit triggers on the latest version of Reader with no user interaction beyond opening a malicious PDF, and abuses privileged Acrobat APIs — specifically util.readFileIntoStream and RSS.addFeed — to exfiltrate local data and stage follow-on payloads. Li characterizes the technique as a fingerprinting-style chain capable of pivoting into remote code execution and sandbox escape, which would hand attackers full control of the host.

Threat analyst Gi7w0rm found the PDF lures use Russian-language content tied to the Russian oil and gas sector, suggesting a targeted operation rather than commodity crimeware. Li notified Adobe and went public to put defenders on notice ahead of a patch.

Until a fix ships, the practical mitigations are narrow: avoid opening PDFs from untrusted senders, and have network defenders monitor or block HTTP/HTTPS traffic containing the ‘Adobe Synchronizer’ string in the User-Agent header, which Li identifies as a signature of the post-exploitation callback.