Overview
- Adobe pushed emergency updates for Acrobat DC, Acrobat Reader DC and Acrobat 2024 on Windows and macOS after confirming real‑world exploitation.
- The flaw is JavaScript prototype pollution that lets a crafted PDF alter base objects in Reader and run attacker code.
- Researchers found VirusTotal samples from November and December 2025, indicating months of abuse via booby‑trapped PDFs.
- Adobe’s revised guidance lowered the CVSS to 8.6 and reclassified the attack vector as Local rather than Network.
- EXPMON’s Haifei Li reported the bug, and new technical details and IoCs are out as analysts examine Russian‑language lures and urge fast patching.