Adobe has addressed a critical security vulnerability in its Acrobat DC, Reader DC and Acrobat 2024 applications. The zero-day bug, known as CVE-2026-34621, allowed hackers to remotely deliver malware via maliciously crafted PDF files on Windows and macOS devices.

The vulnerability has been exploited for at least four months before Adobe patched it. Security researcher Haifei Li first detected the exploit when a user uploaded a malicious PDF to his malware scanner in late November 2025, with another copy appearing on VirusTotal earlier that month.

While the exact targets of this hacking campaign remain unknown, the widespread use of Adobe’s PDF-reading software makes it an attractive target for cybercriminals and state-sponsored hackers. The potential consequences are severe: opening a malicious file could grant full control over a user's system, allowing data theft on a large scale.

Adobe is urging users to update their software to the latest versions to secure their systems against this threat. However, given how long the bug was exploited before discovery, many may have already fallen victim unknowingly.