Adobe Reader zero-day exploited via malicious PDFs
Key Questions
What is the Adobe Reader zero-day vulnerability?
The vulnerability involves memory corruption leading to remote code execution (RCE) and sandbox bypass, exploited since December 2025 via malicious PDFs. It uses a chain exploiting util.readFileIntoStream and RSS.addFeed functions. Nation-state lures align with those targeting Chrome and Fortinet.
What are the command-and-control (C2) servers associated with this exploit?
Attackers use C2 servers at 169.40.2.68:45191 and 188.214.34.20:34123. These are linked to the exploitation chain in malicious PDFs. The flaw enables data theft and scoping out victims.
How are malicious PDFs used in this Adobe Reader exploit?
Booby-trapped PDFs trigger the zero-day for remote code execution and sandbox escape. Experts have flagged this as a dangerous flaw actively exploited. It aligns with reconnaissance tactics by nation-state actors.
Mem corruption/RCE/sandbox bypass since Dec2025; util.readFileIntoStream/RSS.addFeed chain, C2 169.40.2.68:45191/188.214.34.20:34123; nation-state lures align Chrome/Fortinet.