Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “BlueHammer.” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited flaw that can lead to remote code execution.

Redmond warns that attackers are already targeting CVE-2026-32201, a vulnerability in Microsoft SharePoint Server that allows attackers to spoof trusted content or interfaces over a network.

Mike Walters, president and co-founder of Action1, said CVE-2026-32201 can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments.

“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said. “The presence of active exploitation significantly increases organizational risk.”

Microsoft also addressed BlueHammer (CVE-2026-33825), a privilege escalation bug in Windows Defender. According to BleepingComputer, the researcher who discovered the flaw published exploit code for it after notifying Microsoft and growing exasperated with their response. Will Dormann, senior principal vulnerability analyst at Tharros, says he confirmed that the public BlueHammer exploit code no longer works after installing today’s patches.

Satnam Narang, senior staff research engineer at Tenable, said April marks the second-biggest Patch Tuesday ever for Microsoft. Narang also said there are indications that a zero-day flaw Adobe patched in an emergency update on April 11 — CVE-2026-34621 — has seen active exploitation since at least November 2025.

Adam Barnett, lead software engineer at Rapid7, called the patch total from Microsoft today “a new record in that category” because it includes nearly 60 browser vulnerabilities. Barnett said it might be tempting to imagine that this sudden spike was tied to the buzz around the announcement a week ago today of Project Glasswing — a much-hyped but still unreleased new AI capability from Anthropic that is reportedly quite good at finding bugs in a vast array of software.

But he notes that Microsoft Edge is based on the Chromium engine, and the Chromium maintainers acknowledge a wide range of researchers for the vulnerabilities which Microsoft republished last Friday.

“A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities,” Barnett said. “We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability.”

Finally, no matter what browser you use to surf the web, it’s important to completely close out and restart the browser periodically. This is really easy to put off (especially if you have a bajillion tabs open at any time) but it’s the only way to ensure that any available updates get installed. For example, a Google Chrome update released earlier this month fixed 21 security holes, including the high-severity zero-day flaw CVE-2026-5281.

For a clickable, per-patch breakdown, check out the SANS Internet Storm Center Patch Tuesday roundup. Running into problems applying any of these updates? Leave a note about it in the comments below and there’s a decent chance someone here will pipe in with a solution.

Even though it’s patched, Adobe confirmed it was exploited in the wild, so updating is urgent, not optional.

The post Simply opening a PDF could trigger this Adobe Reader zero-day appeared first on Security Boulevard.

Opening the wrong PDF in Adobe Reader was enough to let criminals quietly spy on your computer and unleash more attacks, even though everything looked normal.

A researcher analyzed a malicious PDF and found that it abused a previously unknown flaw (a “zero‑day”) in Adobe Acrobat Reader.

When a victim simply opens this PDF, hidden code inside it can read files that Acrobat Reader should not be allowed to access and send them to an attacker’s server. Some tests show that it allows attackers to pull in additional malicious code from a remote server and run it on the victim’s machine, potentially escaping Adobe’s sandbox protections.

In its security bulletin, Adobe acknowledges that the vulnerability tracked as CVE-2026-34621, is being exploited in the wild.

The issue impacts the following products and versions for both Windows and macOS:

• Acrobat DC versions 26.001.21367 and earlier (fixed in 26.001.21411)
• Acrobat Reader DC versions 26.001.21367 and earlier (fixed in 26.001.21411)
• Acrobat 2024 versions 24.001.30356 and earlier (fixed in 24.001.30362 for Windows and 24.001.30360 for macOS)

Exploitation requires you to open a malicious PDF, but nothing more. No extra clicks or permissions are needed. The researcher found malicious samples using this exploit dating back to November 11, 2025.

Testing showed that a successful exploitation can:

• Pull in JavaScript from a remote server and execute it inside Adobe Reader.
• Steal arbitrary local files and send them out, proving real‑world data theft is possible even without a full remote code execution chain.

How to stay safe

The easiest way to stay safe is to install the emergency update.

The latest product versions are available to end users via one of the following methods:    

• Manually: Go to Help > Check for updates
• Automatically: Updates install without user intervention when detected
• Direct download: Available from the Acrobat Reader Download Center

For IT administrators (managed environments):

• Refer to the relevant release notes for installer links
• Deploy updates using AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or Apple Remote Desktop/SSH (macOS)

If you’re unable or unwilling to update right away:

• Be extra cautious with PDFs from unknown senders or unexpected attachments, even after patching, as attackers may pivot to new variants.
• Use an up-to-date, real-time anti-malware solution to block known malicious servers and detect malware and exploits.
• Carefully monitor all HTTP/HTTPS traffic for the  “Adobe Synchronizer” string in the User Agent field.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Hackers used an Adobe Reader zero-day for months. Researcher Haifei Li found a malicious PDF and asks the community to help analyze it.

Hackers used an Adobe Reader zero-day for months to deliver a sophisticated PDF exploit. Cybersecurity researcher Haifei Li, founder of Expmon, discovered the malicious file and warned the community.

On March 26, a suspicious PDF was submitted to EXPMON and flagged by its advanced “detection in depth” feature, despite low antivirus detection (13/64 on VirusTotal).

The system marked it for manual review, highlighting potential hidden threats. EXPMON identifies exploits through automated alerts, analyst inspection of logs and indicators, and large-scale data analysis. This case shows how advanced detection can uncover sophisticated zero-day activity that traditional tools may miss, though it requires expert analysis to confirm.

He is now asking security experts to help analyze the exploit, understand how it works, and determine its impact, as the vulnerability appears unpatched and actively abused in real-world attacks.

A researcher who goes online with the moniker Gi7w0rm reported that documents employed in the campaign contain Russian language lures and refer to issues regarding current events related to the oil and gas industry in Russia.

The sample analyzed by the Li works as an initial exploit that abuses an unpatched Adobe Reader flaw to run privileged APIs on fully updated systems.

It uses “util.readFileIntoStream()” to read local files and collect sensitive data. Then it calls “RSS.addFeed()” to send stolen data to a remote server and receive more malicious JavaScript.

“Based on our analysis, the sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits. It abuses zero-day/unpatched vulnerability in Adobe Reader that allows it to execute privileged Acrobat APIs, and it is confirmed to work on the latest version of Adobe Reader.” reads the report published by Haifei Li. “Specifically, it calls the “util.readFileIntoStream()” API, allowing it to read arbitrary files (accessible by the sandboxed Reader process) on the local system. In this way, it can collect a wide range of information from the local system and steal local file data.”

This lets attackers profile victims, steal information, and decide whether to launch further attacks, including remote code execution or sandbox escape if the target meets specific conditions.

During the tests, researchers connected to the server but received no response or additional exploit. The attacker likely requires specific target conditions that the test setup did not meet.

“However, during our tests, we were unable to obtain the said additional exploit – the server was connected but no response.” continues the report. “This could be due to various reasons – for example, our local testing environments may not have met the attacker’s specific criteria.”

On April 8, 2025, researcher @greglesnewich found a new variant that connects to the IP address 188.214.34.20:34123. This sample appeared was uploaded on VirusTotal on November 28, 2025, a circumstance that suggests the hacking campaign has been ongoing for at least four months.

The researcher N3mes1s published a full forensic analysis of the Adobe Reader Zero-Day PDF exploit.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe Reader)

The post Zero-Day Alert: Sophisticated PDF Exploit Targets Adobe Reader for Massive Data Theft appeared first on Daily CyberSecurity.