Adobe's Acrobat zero-day sat on VirusTotal for 136 days. Patch is APSB26-43.

Adobe shipped an emergency Acrobat and Reader patch on April 11 for CVE-2026-34621, a zero-day that attackers have been firing off in the wild since at least last November. The fix is bulletin APSB26-43 and it’s marked priority 1, the company’s highest urgency tier.

The hook is what was already on VirusTotal. Researcher Haifei Li, who runs the EXPMON sandbox, told Help Net Security that one of the malicious PDFs first appeared on VirusTotal on November 28, 2025. EXPMON only flagged it in late March, after a separate sample tripped the deeper behavioral logic on March 26. By the time Adobe published a CVE on April 11, the file had been sitting on a public malware-sharing service for roughly 136 days. None of the antivirus engines that scan VirusTotal submissions had marked it as a problem.

What the bug actually does

CVE-2026-34621 is a JavaScript execution bug in Acrobat and Reader’s PDF runtime. The malicious PDFs embed obfuscated JavaScript that runs as soon as the document opens. According to BleepingComputer, the script abuses Acrobat APIs like util.readFileIntoStream() to read arbitrary local files and exfiltrate them. It also fingerprints the host (language, OS version, Reader version, local paths) and calls back to an attacker server, which then conditionally serves a sandbox escape or code-execution payload depending on what it finds.

That last step is why Adobe initially scored the bug at CVSS 9.6 with a network attack vector and then walked it back to 8.6 with a local vector on April 12. You still need a user to open the file. The first stage just runs the second the document loads.

The lures Li and Gi7w0rm spotted in the wild are Russian-language documents with images of gas-supply disruptions and emergency-response notices, aimed at Russian-speaking targets in government and energy. Li described the staged delivery as “an advanced fingerprinting attack” rather than a generic spray, where the second-stage server only fires payloads at hosts that match its targeting profile. EXPMON’s April 11 confirmation post said simply, “Adobe has confirmed our findings and has issued an emergency security update for all Adobe Reader (and other affected products) users.”

What you patch to

The fixes ship in the latest tracks of each product, not as backports. The exact builds, per Adobe’s bulletin and BleepingComputer’s writeup:

• Acrobat DC and Reader DC: 26.001.21411 (Windows and macOS).
• Acrobat 2024: 24.001.30362 on Windows, 24.001.30360 on macOS.

If you’re running a managed estate on the older Continuous tracks or the Acrobat 2020 line, that line stopped getting updates last year and is not in this bulletin. There is no fix for it. Move users off, or pin them to a viewer that isn’t Adobe’s.

TechCrunch reports Adobe has not named the threat actor behind the campaign and would not say how many customers were hit. The company confirmed the bug was being exploited in the wild before the patch.

Why VirusTotal didn’t catch it

This is the part worth dwelling on. VirusTotal isn’t a detection product. It’s a corpus of submitted files scanned by 70+ vendors, and it’s often the first public place an exploit lands once a researcher pulls it out of an attack. A sample sitting unflagged for four months means none of the static signatures matched, the JavaScript was obfuscated past behavioral heuristics, and nobody had pulled the file down for manual analysis. EXPMON’s value here is exactly that it’s a detonation sandbox, not a signature engine. The file ran, EXPMON watched what Acrobat did, and the behavior was abnormal enough to surface a new bug.

The implication for defenders: if you treat VirusTotal scores as ground truth, you’ll keep missing this class of attack. The hits-zero-vendors result is, increasingly, a tell rather than an all-clear.

What this means for you

If you run Acrobat or Reader on user endpoints, push 26.001.21411 today. Don’t rely on the auto-update channel to land it on the same day. The exploit chain is two-stage and the first stage runs on file open, so any inbox or shared drive that accepts PDFs is in scope. If you can disable JavaScript in Acrobat preferences across your fleet, that breaks this specific bug and a long tail of older Reader CVEs at the cost of a small set of form features. Microsoft Defender’s emergency ASP.NET patch the next week showed how fast a class of bug can move from a hidden VirusTotal sample to a live mass-exploitation problem. This one already had a head start.

The harder lesson is for your detection stack. A four-month head start on a public sandbox isn’t unique to Adobe. Treat zero-vendor-detect samples as suspicious by default, and route anything that opens an exotic file format on a knowledge-worker endpoint into a real detonation environment. The VirusTotal score is a starting line, not a finish line.