[CDP-development] TLP:GREEN (Zero-Day/Vulnerability Alert Notification) CVE-2026-34621: Adobe Acrobat and Reader · Prototype Pollution Vulnerability

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Mon Apr 13 13:17:15 PDT 2026 

Good morning,
The SOC Services team is reporting on the vulnerability: CVE-2026-34621 affecting Adobe Acrobat and Reader products as a Prototype Pollution Vulnerability. Because Adobe has confirmed active exploitation in the wild and released an emergency patch, we are providing this in-depth information.
History: Adobe disclosed and patched this zero-day vulnerability on April 11, 2026. The CVSS v3.x base score is 8.6 (High) provided by Adobe Systems Incorporated.
Affected Versions

  *   Acrobat DC / Acrobat Reader DC versions 26.001.21367 and earlier
  *   Acrobat 2024 versions 24.001.30356 and earlier

Fixed Versions

  *   Acrobat DC / Acrobat Reader DC version 26.001.21411
  *   Acrobat 2024 version 24.001.30362 (Windows) / 24.001.30360 (macOS)

Acrobat Reader is affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability. This allows an attacker to manipulate application objects and properties via malicious JavaScript within a PDF.

Vendor Advisory: APSB26-43: Security Updates Available for Adobe Acrobat and Reader<https://helpx.adobe.com/security/products/acrobat/apsb26-43.html>
Intelligence: On April 13, 2026, CISA has listed the vulnerability in the Known Exploited Vulnerabilities Catalog.
Exploitability Level: Local Exploitability
Complexity: Low
User Interaction: Required
Remotely Exploitable: No
Proof of Concept: (Zero-Day and Active exploitation since December 2025)
Zero Day: Yes
Workarounds: Disable JavaScript execution within Adobe Reader preferences.
How it Works: This is a case of Prototype Pollution (CWE-1321) where malicious JavaScript code embedded in a PDF document manipulates the base prototype of objects, allowing the attacker to override application logic.
Post-Exploit Impact:

  *   Arbitrary Code Execution (CWE:1321)
  *   Full context takeover of the current user session (CWE:1321)
Indicators of Compromise (IoCs):
File Analysis
Value
Description / Notes
1929da3ef904efb8c940679045452321
MD5 hash
Malicious PDF sample in Adobe Reader attacks (yummy_adobe_exploit_uwu.pdf)
7f3c6f97612dd0a018797f99fad4df754e5feb35
SHA1 hash
Malicious PDF sample in Adobe Reader attacks (yummy_adobe_exploit_uwu.pdf)
65dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7
SHA256 hash
Malicious PDF sample in Adobe Reader attacks (yummy_adobe_exploit_uwu.pdf)
522cda0c18b410daa033dc66c48eb75a
MD5 hash
Malicious PDF lure in Adobe Reader attacks (Invoice540.pdf)
dafd571da1df72fb53bcd250e8b901103b51d6e4
SHA1 hash
Malicious PDF lure in Adobe Reader attacks (Invoice540.pdf)
54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f
SHA256 hash
Malicious PDF lure in Adobe Reader attacks (Invoice540.pdf)
ado-read-parser[.]com
Domain name
C2 server in Adobe Reader attacks
169[.]40[.]2[.]68:45191
IP address:port
C2 server in Adobe Reader attacks
188[.]214[.]34[.]20:34123
IP address:port
C2 server in Adobe Reader attacks
Adobe Synchronizer
User-Agent
Associated with Adobe Reader attacks
Tenable Plugins: As of April 13, 2026, Tenable has provided the following plugins for the published KEV.
Plugin ID
Plugin Title
Severity
Platform
306006<https://www.tenable.com/plugins/nessus/306006>
Adobe Acrobat < 24.001.30360 / 26.001.21411 Vulnerability (APSB26-43) (macOS)
High
Nessus
306007<https://www.tenable.com/plugins/nessus/306007>
Adobe Acrobat < 24.001.30362 / 26.001.21411 Vulnerability (APSB26-43)
High
Nessus
306008<https://www.tenable.com/plugins/nessus/306008>
Adobe Reader < 26.001.21411 Vulnerability (APSB26-43)
High
Nessus
306009<https://www.tenable.com/plugins/nessus/306009>
Adobe Reader < 26.001.21411 Vulnerability (APSB26-43) (macOS)
High
Nessus
Recommended Actions:
Date Added to KEV Catalog: April 13, 2026
Due Date for Remediation: April 27, 2026

  *   Prioritize the deployment of Adobe security updates across all workstations
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DCCB47.8A0EBB10]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260413/ab48d74b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260413/ab48d74b/attachment-0001.png>

More information about the CDP-development mailing list