Adobe Reader Zero-Day: Months of Silent Exploitation
Security researchers at EXPMON have disclosed a sophisticated zero-day in Adobe Reader that has been exploited in the wild since at least December 2025 via malicious PDF files. The vulnerability, now tracked as CVE-2026-34621 with a CVSS score of 9.6, allows attackers to execute privileged Acrobat APIs through crafted PDF documents - confirmed to work on the latest version of Adobe Reader at the time of discovery. 1Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 — The Hacker News
The initial lure document, named "Invoice540.pdf," first appeared on VirusTotal on November 28, 2025. Once opened, it triggers obfuscated JavaScript that harvests sensitive data and beacons to an external server. Researcher Gi7w0rm noted that observed samples contain Russian-language lures referencing the oil and gas industry. 1Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 — The Hacker News
EXPMON's Haifei Li described the exploit as an initial-access mechanism capable of "broad information harvesting," with a follow-on architecture designed to deliver additional RCE and sandbox-escape payloads based on target fingerprinting. The exploit exfiltrates collected data to a remote C2 server and can receive additional JavaScript for execution, setting the stage for deeper compromise. 1Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 — The Hacker News Adobe has since released a patch.
Fortinet FortiClient EMS: Another Zero-Day in a Familiar Target
Fortinet issued emergency out-of-band patches for CVE-2026-35616, a critical pre-authentication API bypass in FortiClient Enterprise Management Server (EMS) versions 7.4.5 and 7.4.6. The flaw carries a CVSS score of 9.1, and active exploitation was observed as early as March 31, 2026 - days before Fortinet published its advisory on April 4. 2Fortinet Issues Emergency Patch for FortiClient Zero-Day — Dark Reading 3CISA adds CVE-2026-35616 to Known Exploited Vulnerabilities catalog
WatchTowr's sensors detected exploitation before the advisory was published, and CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog on April 6, mandating federal agencies patch by April 9. 3CISA adds CVE-2026-35616 to Known Exploited Vulnerabilities catalog The vulnerability continues a pattern: Fortinet edge devices have been a persistent target for threat actors, with multiple critical flaws exploited across FortiOS, FortiGate, and FortiClient products over the past two years.
FortiClient EMS is a centralized endpoint management platform used by enterprises to manage FortiClient installations across their networks. A pre-auth bypass in this component gives attackers a direct path into the management plane without credentials - a worst-case scenario for any organization relying on it.
Marimo RCE: From Advisory to Exploitation in Under 10 Hours
CVE-2026-39987, a pre-authenticated remote code execution vulnerability in Marimo - an open-source Python notebook - was exploited within 9 hours and 41 minutes of public disclosure, despite no proof-of-concept code being available at the time. 4Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure — The Hacker News
The flaw exists because Marimo's /terminal/ws WebSocket endpoint lacks authentication validation, unlike other endpoints that correctly call validate_auth(). This allows an unauthenticated attacker to obtain a full PTY shell on any exposed instance. The vulnerability, rated CVSS 9.3, affects all Marimo versions up to and including 0.20.4 and is patched in version 0.23.0. 4Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure — The Hacker News
Sysdig observed a threat actor connect to a honeypot, conduct manual reconnaissance, and systematically harvest .env files and SSH keys across four sessions spanning 90 minutes - behavior consistent with a human operator working through a target list. 4Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure — The Hacker News
The Shrinking Patch Window
These three vulnerabilities, disclosed within days of each other, illustrate two converging trends. First, attackers are monitoring vulnerability advisories in near real-time and building working exploits directly from advisory descriptions - no PoC required. Second, zero-days in widely deployed enterprise products like Adobe Reader and Fortinet EMS continue to provide months-long exploitation windows before detection.
For security teams, the takeaway is operational: assume that any critical advisory for internet-facing or commonly deployed software will be weaponized within hours. Patch prioritization must account not only for CVSS scores but also for exposure and confirmed exploitation. Organizations should verify that Adobe Reader, FortiClient EMS, and any Marimo instances are updated immediately.
