Adobe has issued an emergency out-of-band security update to patch CVE-2026-34621, a critical remote code execution (RCE) vulnerability in Adobe Acrobat and Adobe Acrobat Reader that is already being weaponized in the wild. This is not a theoretical risk — threat actors are actively exploiting this flaw against organizations today. Every minute of delay in patching increases your exposure.
What Is CVE-2026-34621?
CVE-2026-34621 is a critical use-after-free vulnerability in Adobe Acrobat and Acrobat Reader's PDF rendering engine. A specially crafted PDF document can trigger heap memory corruption, allowing an attacker to achieve arbitrary code execution in the context of the current user — without any additional authentication or user interaction beyond opening the file.
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-34621 |
| CVSS Score | 9.8 (Critical) |
| Affected Products | Adobe Acrobat DC, Adobe Acrobat Reader DC, Acrobat 2024, Acrobat 2020 |
| Attack Vector | Local / Network (malicious PDF via email, web, or shared storage) |
| Privileges Required | None |
| User Interaction | Required (open a crafted PDF) |
| Exploitation Status | Actively exploited in the wild |
| Patch Available | Yes — emergency out-of-band release |
The vulnerability affects all major platforms: Windows and macOS. Given Acrobat's near-universal deployment in enterprise environments — especially legal, healthcare, finance, and government sectors — the blast radius of this flaw is enormous.
Why This Is Especially Dangerous
What makes CVE-2026-34621 particularly alarming isn't just the CVSS score — it's the delivery mechanism. PDFs are the most trusted document format in business. Employees open PDFs constantly: invoices, contracts, compliance reports, HR forms. Threat actors are actively abusing this trust by distributing weaponized PDFs via:
- Phishing emails with PDF attachments disguised as invoices or shipping notifications
- Drive-by downloads from compromised or malicious websites
- SharePoint / OneDrive shared documents sent from compromised accounts
- Malicious QR codes linking to hosted PDF payloads
Once a user opens the crafted PDF, the exploit runs silently. Observed post-exploitation activity includes:
- Credential harvesting via LSASS dumping
- Persistence via scheduled tasks and registry run keys
- Lateral movement using pass-the-hash techniques
- Deployment of remote access tools (RATs) and ransomware staging
Healthcare and financial services organizations are the current primary targets, likely due to the value of their data and the high prevalence of Acrobat in regulated document workflows.
Affected Versions
Patch immediately if you are running any of the following:
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Adobe Acrobat DC (Continuous) | ≤ 26.003.20094 | 26.003.20180 |
| Adobe Acrobat Reader DC (Continuous) | ≤ 26.003.20094 | 26.003.20180 |
| Adobe Acrobat 2024 | ≤ 24.004.20220 | 24.004.20240 |
| Adobe Acrobat 2020 | ≤ 20.005.30710 | 20.005.30740 |
Adobe Acrobat 2017 and earlier are end-of-life and will NOT receive a patch. If you are running EOL versions, immediate upgrade or removal is required.
Immediate Actions (P0 — Do Right Now)
1. Identify All Acrobat Installations
Run this across your environment to get a complete inventory before you patch:
# Find all Adobe Acrobat installs on a local machine
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*,
HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
Where-Object { $_.DisplayName -like "*Adobe Acrobat*" -or $_.DisplayName -like "*Acrobat Reader*" } |
Select-Object DisplayName, DisplayVersion, InstallLocation, Publisher |
Format-Table -AutoSize
For domain-wide inventory via Intune / Defender for Endpoint, run this KQL in Microsoft Defender:
DeviceTvmSoftwareInventory
| where SoftwareName has_any ("Adobe Acrobat", "Acrobat Reader")
| where SoftwareVersion < "26.003.20180"
| project DeviceId, DeviceName, SoftwareName, SoftwareVersion, OSPlatform
| order by SoftwareName asc
2. Check for Active Exploitation Indicators
Immediately hunt for signs this CVE has already been triggered in your environment:
// Hunt for Acrobat spawning suspicious child processes (shell, script engines, etc.)
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("AcroRd32.exe", "Acrobat.exe", "AdobeARM.exe")
| where FileName in~ (
"cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe",
"bitsadmin.exe", "wmic.exe", "msiexec.exe"
)
| project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName,
InitiatingProcessCommandLine, FileName, ProcessCommandLine
| order by Timestamp desc
// Hunt for suspicious network connections initiated by Acrobat processes
DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("AcroRd32.exe", "Acrobat.exe")
| where RemotePort !in (443, 80)
| project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName,
RemoteIP, RemotePort, RemoteUrl
| order by Timestamp desc
// Check for recently created persistence mechanisms following Acrobat execution
DeviceRegistryEvents
| where InitiatingProcessFileName in~ ("AcroRd32.exe", "Acrobat.exe", "cmd.exe", "powershell.exe")
| where RegistryKey has_any (
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"SYSTEM\\CurrentControlSet\\Services"
)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName,
RegistryKey, RegistryValueName, RegistryValueData
| order by Timestamp desc
3. Apply the Emergency Patch
Option A — Acrobat Auto-Update (Preferred)
Open Adobe Acrobat, go to Help → Check for Updates, and apply immediately.
Option B — Silent Deploy via Intune / SCCM
# Download and silently install the update
$installerUrl = "https://ardownload2.adobe.com/pub/adobe/acrobat/win/AcrobatDC/2600320180/AcroRdrDCUpd2600320180.msp"
$localPath = "$env:TEMP\AcrobatPatch_CVE-2026-34621.msp"
Invoke-WebRequest -Uri $installerUrl -OutFile $localPath -UseBasicParsing
Start-Process -FilePath "msiexec.exe" -ArgumentList "/p `"$localPath`" /qn /norestart REBOOT=ReallySuppress" -Wait -NoNewWindow
Option C — macOS (Terminal)
# Verify installed version after update
defaults read "/Applications/Adobe Acrobat DC/Adobe Acrobat.app/Contents/Info.plist" CFBundleShortVersionString
4. Interim Mitigations (If You Cannot Patch Immediately)
Block PDF preview in Outlook (registry):
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\16.0\Outlook\Security" -Name "DisablePreviewHandlers" -Value 1 -Type DWord
Disable JavaScript in Adobe Acrobat (reduces attack surface significantly):
$regPath = "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown"
If (!(Test-Path $regPath)) { New-Item -Path $regPath -Force }
Set-ItemProperty -Path $regPath -Name "bDisableJavaScript" -Value 1 -Type DWord
Enable Protected Mode and Protected View:
$regPath = "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown"
Set-ItemProperty -Path $regPath -Name "iProtectedMode" -Value 1 -Type DWord
Set-ItemProperty -Path $regPath -Name "iProtectedView" -Value 2 -Type DWord
Sigma Detection Rules
Use these Sigma rules in your SIEM (Splunk, Elastic, Microsoft Sentinel via sigmac/pySigma) to detect active exploitation of CVE-2026-34621.
Rule 1 — Acrobat Spawning Suspicious Child Process
title: Adobe Acrobat Suspicious Child Process (CVE-2026-34621)
id: a3f1c8e2-4b7d-4e9a-b2c1-d5f6e7a8b901
status: stable
description: >
Detects Adobe Acrobat or Acrobat Reader spawning shells or script interpreters,
indicative of exploitation of CVE-2026-34621 via a crafted PDF.
references:
- https://helpx.adobe.com/security/products/acrobat/apsb26-21.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-34621
author: Security Arsenal
date: 2026-04-13
tags:
- attack.execution
- attack.t1059
- attack.initial_access
- attack.t1566.001
- cve.2026-34621
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\AcroRd32.exe'
- '\Acrobat.exe'
- '\AdobeARM.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\wmic.exe'
- '\msiexec.exe'
- '\curl.exe'
- '\wget.exe'
condition: selection
falsepositives:
- Adobe Acrobat DC auto-updater invoking msiexec.exe (verify with AdobeARM.exe parent)
- Legitimate PDF-integrated JavaScript automation (rare; document and suppress per environment)
level: high
Rule 2 — Acrobat Outbound Network to Non-Standard Port
title: Adobe Acrobat Outbound Connection to Unusual Port (CVE-2026-34621)
id: b7e2d4a1-9c3f-4d8b-a1e5-c6f7d8e9b012
status: stable
description: >
Detects Acrobat or Reader initiating outbound network connections to ports
other than 80/443 — a strong indicator of C2 beacon activity post-exploitation.
references:
- https://helpx.adobe.com/security/products/acrobat/apsb26-21.html
author: Security Arsenal
date: 2026-04-13
tags:
- attack.command_and_control
- attack.t1071
- cve.2026-34621
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\AcroRd32.exe'
- '\Acrobat.exe'
filter_legitimate:
DestinationPort:
- 80
- 443
condition: selection and not filter_legitimate
falsepositives:
- Acrobat license activation over non-standard ports (extremely rare in modern versions)
level: high
Rule 3 — Suspicious Persistence After Acrobat Execution
title: Registry Run Key Created After Acrobat Process (CVE-2026-34621 Post-Exploitation)
id: c9d3e5b2-1a4f-4c7d-b3e6-d7e8f9a0c123
status: experimental
description: >
Detects creation of registry Run keys by processes that were children of
Acrobat/Reader — a common persistence technique observed in CVE-2026-34621
post-exploitation chains.
references:
- https://helpx.adobe.com/security/products/acrobat/apsb26-21.html
author: Security Arsenal
date: 2026-04-13
tags:
- attack.persistence
- attack.t1547.001
- cve.2026-34621
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
- '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\rundll32.exe'
condition: selection
falsepositives:
- Legitimate software installers that happen to run during the same session
- Software update mechanisms
level: medium
SIEM Deployment: Convert these rules for your platform using pySigma or the Sigma CLI. Most modern EDR/SIEM vendors (CrowdStrike, Elastic, Splunk, Microsoft Sentinel) accept Sigma as input or have community rule packs already updated for this CVE.
Email Gateway & Perimeter Controls
While endpoint patching is the definitive fix, add detection at the perimeter:
- Block or sandbox all inbound PDF attachments from external senders until patches are verified deployed across your estate.
- Enable Microsoft Defender for Office 365 Safe Attachments on your email tenant (if not already active).
- Update your SIEM rules to alert on Acrobat spawning shell processes (KQL above).
- Check your EDR (CrowdStrike, SentinelOne, Defender for Endpoint) for any pre-existing behavioral detections for this CVE — most major vendors have signatures live.
Verify Patch Compliance Post-Deployment
// Verify patched state — should show only 26.003.20180 or higher
DeviceTvmSoftwareInventory
| where SoftwareName has_any ("Adobe Acrobat", "Acrobat Reader")
| summarize VersionCount = dcount(SoftwareVersion), Devices = count() by SoftwareName, SoftwareVersion
| order by SoftwareVersion desc
# Generate a CSV compliance report
$report = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*,
HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
Where-Object { $_.DisplayName -like "*Adobe Acrobat*" -or $_.DisplayName -like "*Acrobat Reader*" } |
Select-Object @{N='Machine';E={$env:COMPUTERNAME}}, DisplayName, DisplayVersion,
@{N='Patched';E={ [version]$_.DisplayVersion -ge [version]"26.003.20180" }}
$report | Export-Csv -Path "C:\Temp\AcrobatPatchCompliance_$(Get-Date -f yyyyMMdd).csv" -NoTypeInformation
Write-Output $report
Security Arsenal Can Help
If your organization needs assistance with verifying patch deployment across a complex environment, hunting for active exploitation indicators, 24/7 monitoring to detect post-exploitation activity, or rapid incident response, our team is available now. Time is critical with active exploitation in the wild.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform 24/7 Managed Detection & Response Book an Emergency Incident Response Consultation Vulnerability Management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.