<![CDATA[There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html]]>There is at least one Adobe Reader 0day being exploited in the wild:
https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html

TL;DR: One 0day is being used to simply communicate details to a C2 server to get further commands. Specifically, there is a vulnerability that allows reading arbitrary local files using Reader JavaScript. In this case, ntdll.dll and friends, so that the C2 knows specifically what version of Windows the victim is running.

Nobody knows what secondary payload the C2 is delivering to selected targets. But it's a direct pipeline to allow the C2 to run arbitrary JavaScript on the victim system.

So I'll bet dollars to donuts that there is a second more powerful vulnerability that the attackers have up their sleeves. Or at the very least, the same vulnerability that allows the privileged file read might be able to be leveraged to do something nasty. And the whole AES-encrypted C2 stuff is merely to not put the payload statically in the exploit PDF, allowing a dynamic payload for any given target.

]]>https://board.circlewithadot.net/topic/3e36b403-880c-478b-bfdf-f4a05c84046c/there-is-at-least-one-adobe-reader-0day-being-exploited-in-the-wild-https-justhaifei1.blogspot.com-2026-04-expmon-detected-sophisticated-zero-day-adobe-reader.htmlRSS for NodeThu, 16 Apr 2026 01:26:05 GMTThu, 09 Apr 2026 22:03:47 GMT60<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Sat, 11 Apr 2026 13:48:03 GMT]]>This is now fixed as CVE-2026-34621.

Interestingly, it's a single CVE that is described as RCE. So presumably the same vulnerability that allowed for the reading of arbitrary files also is what enabled RCE.

Which suggests that somebody at Adobe did see what the second stage looked like. Or was able logically draw the conclusion that the same vulnerability (used in a different way) could be leveraged for RCE. 🤔

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116386384011725134https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116386384011725134Sat, 11 Apr 2026 13:48:03 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Fri, 10 Apr 2026 19:19:08 GMT]]>For the record, what got the JavaScript deobfuscated was:
https://webcrack.netlify.app/

There's also:
https://obf-io.deobfuscate.io/

It sure is better to run an app to do things than to even attempt to believe the nonsense that AI tools spew out. 😂

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116382023588119759https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116382023588119759Fri, 10 Apr 2026 19:19:08 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Fri, 10 Apr 2026 18:16:42 GMT]]>@waldi
But it's a privileged function.
The vulnerability at play here is that normal JavaScript in a PDF is able to call privileged functions.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116381778095359054https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116381778095359054Fri, 10 Apr 2026 18:16:42 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Fri, 10 Apr 2026 18:07:20 GMT]]>@wdormann No, it is a documented feature: https://opensource.adobe.com/dc-acrobat-sdk-docs/library/jsapiref/JS_API_AcroJSChanges.html#new-util-method

]]>https://board.circlewithadot.net/post/https://chaos.social/users/waldi/statuses/116381741269982818https://board.circlewithadot.net/post/https://chaos.social/users/waldi/statuses/116381741269982818Fri, 10 Apr 2026 18:07:20 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Fri, 10 Apr 2026 18:04:20 GMT]]>@waldi
Well, that's the vulnerability. 😂

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116381729462339185https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116381729462339185Fri, 10 Apr 2026 18:04:20 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Fri, 10 Apr 2026 17:59:56 GMT]]>@fellows
Depends on the sandbox, I suppose.
The vulnerability being exploited merely reads files like ntdll.dll to get version infromation. But the subsequent polling of a remote C2 host is a touch out of the ordinary. At least to me.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116381712187084924https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116381712187084924Fri, 10 Apr 2026 17:59:56 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Fri, 10 Apr 2026 17:56:54 GMT]]>@wdormann if the malicious PDF were blown up in a sandbox, would its activity be detected as abnormal?

]]>https://board.circlewithadot.net/post/https://cyberplace.social/users/fellows/statuses/116381700196982259https://board.circlewithadot.net/post/https://cyberplace.social/users/fellows/statuses/116381700196982259Fri, 10 Apr 2026 17:56:54 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Fri, 10 Apr 2026 17:24:14 GMT]]>And just for anybody playing along, again from the Bad Site, a link to a properly (functional) deobfuscated JavaScript has been shared.

And yeah, this part of the exploit allows for reading of arbitrary files.

Now, whatever threat actor at play here was fine with buffoons such as myself getting access to this part of the exploit chain. As it was only used to communicate precise details to the C2 server. i.e., this exploit chain was the disposable part.

I can only imagine what sort of second-stage exploit is being served up AES-encrypted to only some individuals. 🤔

Now, even without a fancy second stage, I suspect the ability to exfiltrate arbitrary files off of a system opening the PDF ain't nothing to sneeze at.

Link Preview ImageLink Preview Image
]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116381571809065153https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116381571809065153Fri, 10 Apr 2026 17:24:14 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Fri, 10 Apr 2026 16:06:36 GMT]]>@wdormann Why the heck can JavaScript in Adobe crap read stuff outside the document at all? And connect to random cross-origin destinations? This is Microsoft Office scripting all over again.

]]>https://board.circlewithadot.net/post/https://chaos.social/users/waldi/statuses/116381266488844308https://board.circlewithadot.net/post/https://chaos.social/users/waldi/statuses/116381266488844308Fri, 10 Apr 2026 16:06:36 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Fri, 10 Apr 2026 15:32:42 GMT]]>But I suppose I'll also note: What Grok provided to me was completely made up, including a nonsensical call to Collab.collectEmailInfo(). But to those not paying attention, it seemed plausible.

Which had a buffer overflow in CVE-2007-5659.

Strange days indeed.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116381133189170354https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116381133189170354Fri, 10 Apr 2026 15:32:42 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Fri, 10 Apr 2026 15:30:52 GMT]]>@Chris_vonW
No, if JavaScript isn't enabled, the exploit doesn't do a thing.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116381126033070996https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116381126033070996Fri, 10 Apr 2026 15:30:52 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Fri, 10 Apr 2026 15:17:30 GMT]]>@wdormann does the exploit still work with JavaScript disabled in Acrobat?

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/Chris_vonW/statuses/116381073430720333https://board.circlewithadot.net/post/https://infosec.exchange/users/Chris_vonW/statuses/116381073430720333Fri, 10 Apr 2026 15:17:30 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Fri, 10 Apr 2026 12:45:57 GMT]]>As I was looking into this (specifically the readFileIntoStream() part), I was quite disappointed by where ChatGPT would refuse to go further. Because I'm apparently a criminal and all. The irony here being that I already provided to ChatGPT the JavaScript that performs the exploit. Albeit in a form that isn't readable by humans. As such, ChatGPT's refusal to proceed only helps the miscreants already performing attacks.

Compared to Grok, which just did what I asked.

I'm not particularly fond of receiving ethical judgment and assumptions about why I'm doing my job

Link Preview ImageLink Preview ImageLink Preview Image
]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116380477515550959https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116380477515550959Fri, 10 Apr 2026 12:45:57 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Thu, 09 Apr 2026 23:01:21 GMT]]>@DaveMWilburn
What makes a PDF reader better than its competition is the number of features that it foists upon you, obviously.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116377235037080166https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116377235037080166Thu, 09 Apr 2026 23:01:21 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Thu, 09 Apr 2026 23:00:15 GMT]]>@wdormann

0-day in acroread.exe? Are we back in the early twenty teens again?

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/DaveMWilburn/statuses/116377230741168590https://board.circlewithadot.net/post/https://infosec.exchange/users/DaveMWilburn/statuses/116377230741168590Thu, 09 Apr 2026 23:00:15 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Thu, 09 Apr 2026 22:47:13 GMT]]>Over on the Bad Site is a bit of analysis

The million dollar question is: Is this vulnerability chain, which is honestly used just to provide useful information to the C2 just the warm-up to the real exploit delivered by the C2?

Or is privileged JavaScript execution enough to do bad things?

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116377179508438661https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116377179508438661Thu, 09 Apr 2026 22:47:13 GMT<![CDATA[Reply to There is at least one Adobe Reader 0day being exploited in the wild:https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html on Thu, 09 Apr 2026 22:07:37 GMT]]>The interesting thing about using ntdll.dll as the target for this first vulnerability is that in normal Reader operation, ntdll.dll is accessed.

So there's no immediate obvious symptom of shenanigans. Other than the fact that a C2 server is polled for further instructions that is. 😂

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116377023794203548https://board.circlewithadot.net/post/https://infosec.exchange/users/wdormann/statuses/116377023794203548Thu, 09 Apr 2026 22:07:37 GMT