Summary

A zero-day vulnerability in Adobe Reader has been actively exploited by threat actors using malicious PDF files since December 2025. The exploit, identified by EXPMON's Haifei Li, involves a sophisticated attack vector using a file named "Invoice540.pdf."

Key Points

• The zero-day vulnerability affects Adobe Reader and has been exploited since at least December 2025.
• The malicious PDF, "Invoice540.pdf," was first detected on VirusTotal on November 28, 2025.
• The exploit has been described as highly sophisticated, indicating advanced threat actor capabilities.
• The vulnerability was discovered and reported by Haifei Li from EXPMON.

Analysis

This zero-day exploit in Adobe Reader represents a critical security threat due to its active exploitation and sophisticated nature. The use of malicious PDFs as an attack vector underscores the importance of maintaining up-to-date security measures and being vigilant about document handling. Given the widespread use of Adobe Reader, the potential impact is significant, necessitating immediate attention from IT security teams.

Conclusion

IT professionals should prioritize patching Adobe Reader and enhancing email and document security protocols to mitigate the risk of exploitation. Regularly monitoring threat intelligence sources for updates on this vulnerability is also recommended.