Attackers have been exploiting a zero-day vulnerability in **Adobe Reader** using maliciously crafted PDF documents since at least December. This vulnerability allows for data theft and potential remote code execution. ## Sophisticated Fingerprinting Exploit Security researcher **Haifei Li**, founder of the **EXPMON** exploit-detection platform, revealed on Tuesday that attackers are utilizing a 'highly sophisticated, fingerprinting-style PDF exploit.' This exploit targets an undisclosed **Adobe Reader** security flaw. According to Li, these attacks have been targeting **Adobe** users for at least four months. The attackers are stealing data from compromised systems using privileged `util.readFileIntoStream` and `RSS.addFeed` Acrobat APIs, and deploying additional exploits. "This 'fingerprinting' exploit has been confirmed to leverage a zero-day/unpatched vulnerability that works on the latest version of **Adobe Reader** without requiring any user interaction beyond opening a PDF file," Li warned. "Even more concerning, this exploit allows the threat actor to not only collect/steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim's system." **Haifei Li** has a history of disclosing security vulnerabilities in software from **Microsoft**, **Google**, and **Adobe**, many of which have been exploited in zero-day attacks. ## Russian-Language Phishing Lures Threat intelligence analyst Gi7w0rm, who also analyzed this **Adobe Reader** exploit, found that the PDF documents used in these attacks contain Russian-language lures referencing ongoing events in the Russian oil and gas industry. ## Mitigation and Recommendations Li has notified **Adobe** about these findings. Until a security update is released, **Adobe Reader** users are advised to avoid opening PDF documents from untrusted sources. Network defenders can also mitigate attacks by monitoring and blocking HTTP/HTTPS traffic containing the "Adobe Synchronizer" string in the User-Agent header. "This zero-day/unpatched capability for broad information harvesting and the potential for subsequent RCE/SBX exploitation is enough for the security community to remain on high alert. This is why we have chosen to publish these findings immediately so users can stay vigilant," he added. **BleepingComputer** has reached out to **Adobe** for comment but has yet to receive a response.