Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

A previously unknown zero-day vulnerability in Adobe Reader has been actively exploited via maliciously crafted PDF files since at least December 2025. Researcher Haifei Li of EXPMON documented the highly sophisticated exploit, with the initial artifact (“Invoice540.pdf”) first observed on VirusTotal on November 28, 2025.

No CVE has been publicly assigned as of reporting time. Adobe has not yet issued a patch. Users should treat unsolicited PDF attachments with extreme caution and consider enforcing Protected Mode in Adobe Reader. Organizations with DLP or email filtering policies should flag PDF attachments from unknown senders pending an official fix.