Here is a fun game: think of the last time you opened a PDF without a second thought. A resume, a bank statement, a rental agreement, maybe some beautifully formatted recipe you downloaded from a food blog. Now imagine that file has been a potential attack vector since at least November 2025. Fun game, right?

Adobe has finally patched a zero-day vulnerability in its PDF software that, according to reporting by TechCrunch, hackers have been actively exploiting for months. A security researcher flagged that the campaign targeting victims kicked off no later than November 2025 - meaning this thing was live in the wild for a long, long time before a fix arrived.

What even is a zero-day, and why should you care?

A zero-day vulnerability is basically a security flaw that the software maker does not know about yet - which means there are zero days of protection against it. By the time Adobe knew this bug existed, attackers had already had a multi-month head start to do whatever they pleased with it.

The number of people actually compromised by this campaign is still unclear, which is the kind of sentence that should make anyone who regularly opens PDFs feel mildly existential about their digital hygiene.

PDFs: the format that refuses to die, and now also kind of a security nightmare

There is something darkly poetic about PDFs - a format so ancient and omnipresent that we have all just accepted it as part of life - being the vector for a months-long hacking campaign. It is the digital equivalent of discovering your front door lock has been broken since autumn and nobody told you.

Adobe Reader and Acrobat are installed on an absolutely staggering number of devices worldwide, which is exactly what makes this kind of vulnerability so attractive to bad actors. A widely trusted format plus a widely installed app plus a silent exploit equals a pretty decent day for hackers and a pretty terrible one for everyone else.

So what do you do now?

Update your Adobe software immediately - like, right now, before you finish this article. Seriously. Adobe has released the patch, so there is no excuse to keep running a vulnerable version. If your organization is still on an older version because IT moves at the speed of geological time, now is the moment to send that nudge.

And maybe, just maybe, treat that next PDF attachment from an unknown sender with a little more skepticism than usual. The paranoia is earned at this point.