✅ Report Title: Adobe Acrobat Vulnerability Analysis: CVE-2026-34621
✅ Executive Summary:
- This report is an analysis of CVE-2026-34621, an Arbitrary Code Execution vulnerability occurring in Adobe Acrobat*.
* Adobe Acrobat: A PDF processing application that provides various features such as viewing, editing, digital signing, and sharing/reviewing PDF documents.
- This vulnerability is an Arbitrary Code Execution vulnerability caused by improper control modification of object prototype attributes (Prototype Pollution) occurring during the processing of JavaScript embedded within PDF documents.
- The versions listed below are affected by this vulnerability.
- Adobe Acrobat DC / Reader DC ≤ 26.001.21367
- Adobe Acrobat 2024 ≤ 24.001.30356 (Windows & macOS)
- It has been revealed that this vulnerability was exploited in-the-wild by an unknown Threat Actor.
- Although the exact point of initial exploitation has not been confirmed, based on the oldest sample uploaded to VirusTotal (registered on November 28, 2025), Haifei Li from EXPMON, who reported the vulnerability, estimates it to be a 0-day/APT campaign that has been ongoing for at least four months.
📌 CVE-2026-34621 Details
- CVE Number: CVE-2026-34621
- Disclosure or Patch Date: 2026-04-11
- Product: Acrobat
- Vendor: Adobe
- Threat Actor: Unknown
- Confirmed Affected Version:
- Adobe Acrobat DC / Reader DC (Continuous) ≤ 26.001.21367
- Adobe Acrobat 2024 (Classic) ≤ 24.001.30356
- Patched Version:
- Adobe Acrobat DC / Reader DC ≥ 26.001.21411
- Adobe Acrobat 2024 ≥ 24.001.30362 (Windows) / 24.001.30360 (macOS)
- Reporter(Advisor): Haifei Li (EXPMON)
📌 What Is the Root Cause of the Vulnerability?
- Some of the trust-propagator functions within Acrobat's JavaScript API are written such that the swConn identifier is used as an implicit-global (without function-scope declarations like var, let, or const) and is subsequently re-read as a bare-name within the same function.
- In this scenario, if a threat actor uses JavaScript embedded in a PDF to pollute Object.prototype.swConn with a getter (without a corresponding setter), the implicit-global write is silently handled as a no-op.
- The subsequent read then follows the polluted prototype chain, causing the attacker-planted callable to be executed within the trust frame.
- As a result, any JavaScript function included in the document can be registered as a permanent trustedFunction.
- This allows the execution of arbitrary JavaScript code that utilizes Acrobat's privileged APIs, which are otherwise inaccessible via standard user permissions.
📌 How Can This Vulnerability Be Exploited?(Attack Scenario)
- Through this vulnerability, an external threat actor can induce a victim to open a malicious PDF and gain a trust frame solely using JavaScript within the document.
- This allows for various malicious activities, such as fingerprinting and sensitive information collection/exposure through arbitrary file reading via privileged Acrobat APIs—which are normally inaccessible to general users—as well as C2 server communication and the download/execution of remote JavaScript payloads by exploiting the RSS feature.
📌 PoC Code
- For more information about the PoC test code developed by S2W Threat Intelligence Center TALON, please contact us through the link below.
✅ Recommended Threat Detection and Mitigation Actions:
- If using a vulnerable version of Acrobat, it is recommended to update to the latest version.
- If an immediate update is not possible, it is recommended to take measures according to the mitigation plans provided below.
- Disable the execution of JavaScript embedded in PDF documents through Group Policy or Acrobat settings
- Refrain from viewing PDFs from untrusted sources
🧑💻 Author: S2W TALON
👉 Contact us: https://s2w.inc/en/contact
*The full report is available upon request or with a subscription to the S2W platform.