A previously unknown vulnerability in Adobe Reader has been under active exploitation since December 2025, with threat actors leveraging specially crafted PDF documents to compromise systems. Security researchers have identified this as a highly-sophisticated exploit capable of bypassing traditional defenses.
The malicious activity centers on weaponized PDF files designed to trigger the vulnerability when opened in Adobe Reader. The first known artifact, tracked as "Invoice540.pdf," surfaced on VirusTotal in late November 2025, suggesting threat actors may have been preparing their attack infrastructure weeks before launching full-scale exploitation campaigns.
This zero-day represents a significant concern for enterprise and individual users alike, as PDF files remain one of the most commonly trusted file formats in business environments. Attackers have long recognized this trust gap, using PDFs as delivery mechanisms for sophisticated payloads that traditional security tools often fail to detect.
The exploitation technique demonstrates considerable sophistication, indicating that the actors responsible possess advanced technical capabilities. The method of delivery—through documents that appear legitimate at first glance—makes detection particularly challenging for end users who may not notice anything amiss when opening the malicious files.
Adobe has not yet released an official patch addressing this vulnerability, leaving millions of users potentially at risk. Organizations relying on Adobe Reader for document processing should consider implementing additional security measures, such as sandboxing PDF viewers, restricting macro execution, and deploying advanced threat detection systems capable of identifying suspicious PDF behavior.
Users are advised to exercise heightened caution when receiving unsolicited PDF attachments, particularly those appearing to be invoices or financial documents. The discovery underscores the ongoing cat-and-mouse game between security researchers and threat actors, as attackers continue identifying and weaponizing previously unknown vulnerabilities in widely-used software.