External risk intelligence

Adobe Acrobat Reader could allow attackers to compromise employee devices via malicious files.

Adobe Acrobat Reader could allow an attacker to execute code on employee devices if a user opens a malicious file, potentially compromising sensitive files or stored credentials. This issue is currently being actively exploited in the wild, posing a significant risk to the security of our workstations.

NVD published April 11, 2026 (last month)

External risk briefKnown Exploit

CVE-2026-34621

Halo Surface Signal

1/ 5

This vulnerability affects client-side software (Adobe Acrobat Reader) installed on local endpoints. Exploitation requires user interaction to open a malicious file. The application is not a network-reachable service or internet-facing infrastructure, meaning it lacks a public attack surface.

Exposure facts

CVSS

8.6

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

KEV

Adobe Acrobat and Reader Prototype Pollution Vulnerability

EPSS

12.16%

H – Horizon Alert

A security vulnerability has been identified in Adobe Acrobat Reader involving a technical flaw known as “prototype pollution.” If a user opens a malicious file, this issue could allow unauthorized code to execute with the privileges of that user. This creates a potential risk to the security and integrity of information stored on or accessed by the affected device. Awareness of this risk is important for maintaining oversight of our document management tools.

A – Asset Exposure

This vulnerability affects endpoints, such as employee workstations and devices, that utilize Adobe Acrobat and Reader. Because successful exploitation requires a user to open a malicious file, the risk is primarily associated with standard user workflows rather than direct network or internet exposure. Should this issue be triggered, it could grant unauthorized control of the endpoint, potentially compromising sensitive files or stored credentials accessible to that user.

L – Live Threat

This vulnerability is actively being exploited in the wild, as evidenced by its inclusion in the CISA Known Exploited Vulnerabilities catalog. The flaw allows for arbitrary code execution if a user opens a malicious file, which presents a significant risk to the environment. While there is no current data linking this activity to ransomware campaigns, the confirmed status of active exploitation necessitates prioritizing this issue.

O – Operational Fix

We recommend that IT and security teams prioritize applying the official security updates provided by the vendor to address this issue in Acrobat and Reader. Please consult the associated vendor security bulletin to ensure all recommended patches or mitigation steps are correctly implemented across your environment. Additionally, as this risk requires user interaction, remind staff to maintain standard security practices when opening files from unknown or untrusted sources.