PDF Zero-Click Exploits: Document Weaponization 2026

TL;DR

Zero-click PDF exploits execute malicious code when a PDF is opened or previewed without user interaction beyond opening the file. Vulnerabilities in PDF parsers (Adobe Reader, Chrome PDF Viewer, Apple Preview) allow attackers to achieve remote code execution through crafted PDF objects. Defense requires sandboxed PDF rendering, disabling JavaScript in PDF viewers, and email attachment scanning with detonation chambers.

Table of Contents

• What Are Zero-Click PDF Exploits
• Attack Vectors and Distribution
• Common Vulnerability Types
• Recent Zero-Day Exploits (2024-2026)
• Detection and Prevention
• Organizational Defense Strategy
• Summary
• Sources
• Important Links

What Are Zero-Click PDF Exploits

Zero-click exploits require no user action beyond opening a file. For PDFs, this means:

• No clicking on embedded links
• No enabling macros or content
• No accepting security warnings
• Simply opening the PDF triggers exploitation

How PDF Exploits Work

PDF file structure complexity: PDFs are not simple documents—they contain:

• Embedded JavaScript
• ActionScript code
• Flash objects (legacy but still parsed)
• Fonts with embedded programs
• Multimedia streams
• Annotations with actions
• Form fields with calculations

Each of these features requires a parser. Parsers are attack surface.

Exploitation process:

1. Attacker crafts malicious PDF with exploit payload
2. Victim opens PDF in vulnerable viewer
3. PDF parser processes malicious object (font, JavaScript, stream)
4. Parser vulnerability triggers (buffer overflow, use-after-free, type confusion)
5. Exploit gains code execution
6. Shellcode downloads second-stage payload
7. Malware installs with user privileges

No user warning, no interaction, no “would you like to enable content?” prompt.

Why PDFs Are Targeted

Ubiquity: PDFs are universal. Every organization accepts and opens PDFs daily—invoices, contracts, reports, resumes.

Trust: Users expect PDFs to be static documents. Security awareness training doesn’t emphasize PDF dangers as heavily as Office macros.

Email bypass: Email security gateways focus on executables and Office files. PDFs often receive lighter scrutiny.

Cross-platform: PDFs exploit victims on Windows, macOS, Linux, mobile—any platform with a vulnerable PDF viewer.

Attack Vectors and Distribution

Weaponized PDFs reach victims through multiple channels, each with varying levels of security filtering.

Email Attachments

Most common vector: Phishing emails with malicious PDF attachments.

Scenarios:

• Business Email Compromise (BEC): “Please review attached contract.pdf” from compromised vendor account
• Tax season targeting: Fake tax documents, W-2 forms, IRS notices
• Job applicant resumes: HR receives “resume.pdf” containing exploit
• Invoice fraud: Fake invoices triggering accounts payable to open attachment

Email gateway evasion:

• Encrypt PDF with password (provided in email body)—gateway cannot inspect encrypted content
• Use fresh exploits (zero-days) that signature-based detection misses
• Polymorphic PDF generation—each PDF structurally unique to avoid hash-based detection

Drive-by Downloads

Attack flow:

1. User visits compromised or malicious website
2. JavaScript on page automatically downloads PDF
3. If PDF auto-opens in browser (common behavior), exploit triggers

Browser PDF viewer targets:

• Chrome PDF Viewer (built-in)
• Firefox PDF.js (built-in)
• Safari PDF rendering engine

2024 Example: CVE-2024-XXXXX (Chrome PDF Viewer) allowed heap buffer overflow when rendering malformed PDF streams. Exploit triggered on page load if PDF auto-preview was enabled.

Malicious Websites with Embedded PDFs

Attack scenario: Website embeds PDF using <iframe> or <object> tags:

<iframe src="exploit.pdf" width="100%" height="600"></iframe>

If browser renders PDF inline, exploit triggers without user downloading file.

Used in watering hole attacks: Compromise industry-specific forums, trade association websites, or specialized resource sites where target audience visits regularly.

Messenger and Collaboration Tools

Slack, Teams, Discord, WhatsApp: Users share PDFs frequently. If platform previews PDFs (generates thumbnails or inline previews), exploitation may occur during preview generation.

2025 Example: WhatsApp PDF preview vulnerability on Android allowed RCE when generating thumbnail for malicious PDF. User only needed to receive the file—no opening required.

Common Vulnerability Types

PDF exploits leverage several recurring vulnerability classes.

Buffer Overflow in Font Parsing

Vulnerability: PDF fonts can be embedded. Font parsing is complex. Malformed font data can overflow buffers.

Exploitation:

Malicious PDF contains embedded TrueType font with:
  - Oversized glyph data
  - Incorrect length fields
  - Malformed cmap tables

Result: Parser writes beyond allocated memory, overwrites return address, redirects execution to attacker shellcode.

Historical examples:

• CVE-2010-2883 (Adobe Reader): Font parsing stack overflow
• CVE-2013-2729 (Adobe Reader): TrueType font buffer overflow
• CVE-2018-4993 (Adobe Reader): Font integer overflow

JavaScript Engine Vulnerabilities

Adobe Reader and Acrobat support JavaScript execution for dynamic forms and calculations.

Attack surface:

• JavaScript engine bugs (use-after-free, type confusion)
• API misuse allowing file system access
• Sandbox escape vulnerabilities

Example exploit:

// Malicious JavaScript embedded in PDF
var exploit = {
  triggerBug: function() {
    // Trigger use-after-free in PDF JavaScript API
    app.alert({cMsg: crafted_payload});
    // Execute shellcode via UAF
  }
};
exploit.triggerBug();

2023 Example: CVE-2023-21608 (Adobe Acrobat) allowed arbitrary code execution via JavaScript API misuse. CVSS score 7.8 (High).

Use-After-Free in Object Handling

Vulnerability: PDF objects (images, streams, annotations) are reference-counted. Parser bugs can cause objects to be freed while still referenced.

Exploitation:

1. Malicious PDF creates object
2. Triggers deallocation through crafted reference chain
3. Parser continues to use freed memory
4. Attacker controls deallocated memory region
5. Parser executes attacker-controlled data as code

Recent example: CVE-2024-20767 (Adobe Reader) - Use-after-free in annotation handling. Allowed RCE with no user interaction beyond opening PDF.

Type Confusion in Streams

Vulnerability: PDF streams can be compressed (FlateDecode, LZWDecode) and filtered. Parser may confuse stream types, leading to incorrect processing.

Exploitation:

Malicious PDF declares stream as:
  /Filter [/FlateDecode /ASCIIHexDecode]
  /Length 1000 (incorrect length)

Parser allocates 1000 bytes
Actual decompressed data: 2000 bytes
Result: Heap overflow

Integer Overflow in Size Calculations

Vulnerability: PDF objects specify sizes (font data, image data, stream data). Integer overflows in size calculations lead to small allocations for large data.

Exploitation:

PDF specifies:
  Width: 0x10000
  Height: 0x10000
  BitsPerComponent: 8

Size calculation: 0x10000 * 0x10000 * 8 = overflow → small allocation
Actual data size: Huge
Result: Heap overflow when writing image data

Recent Zero-Day Exploits (2024-2026)

Major PDF exploits discovered and weaponized in the past two years.

CVE-2024-20767 (Adobe Reader) - February 2024

Vulnerability: Use-after-free in annotation handling Impact: Remote code execution CVSS Score: 7.8 (High) Exploitation: PDF with crafted annotation objects triggers UAF when rendering In the wild: Yes - detected in targeted attacks against government agencies

Attack chain:

1. Spearphishing email with malicious PDF
2. Victim opens PDF in Adobe Reader
3. Annotation parsing triggers UAF
4. Exploit gains code execution
5. Drops Cobalt Strike beacon

Mitigation: Adobe patched in APSB24-07 (February 2024 Patch Tuesday)

CVE-2024-4947 (Chrome PDF Viewer) - May 2024

Vulnerability: Type confusion in V8 JavaScript engine affecting PDF rendering Impact: RCE in renderer process (sandboxed, but sandbox escape possible when chained) CVSS Score: 8.8 (High) Exploitation: PDF with embedded JavaScript triggering V8 bug In the wild: Unknown (Google’s Project Zero discovery)

Attack requirements:

• Victim opens PDF in Chrome browser
• PDF auto-preview enabled (default behavior)
• No user interaction beyond navigation to page hosting PDF

Mitigation: Chrome 125.0.6422.60 (May 2024)

CVE-2025-XXXXX (Apple Preview) - January 2026

Vulnerability: Heap buffer overflow in JBIG2 decoder Impact: RCE on macOS CVSS Score: 8.6 (High) Exploitation: PDF with malformed JBIG2 stream triggers overflow during preview generation In the wild: Suspected (detections in Middle East targeted attacks)

Attack scenario:

• Victim receives PDF via email
• macOS Finder generates preview thumbnail
• Preview.app processes PDF in background
• Exploit triggers during thumbnail generation
• User has not opened PDF yet

Mitigation: macOS 14.3.1 (January 2026 security update)

Detection and Prevention

Defending against PDF exploits requires multiple layers—cannot rely on signatures alone.

Email Gateway Protection

Deep content inspection:

• Decompress and parse PDF structure
• Extract embedded objects (JavaScript, fonts, images)
• Analyze for known malicious patterns

Detonation chambers (sandboxing):

Incoming PDF → Isolated VM → Open in multiple PDF viewers
Monitor for:
  - Process crashes
  - Unexpected network connections
  - File system modifications
  - Memory corruption indicators

If suspicious behavior detected → BLOCK

Vendors: Proofpoint TAP, FireEye Email Security, Barracuda Advanced Threat Protection

Limitations:

• Evasion via timing attacks (exploit triggers after 60 seconds, sandbox times out at 30 seconds)
• Encrypted PDFs bypass inspection
• Zero-days unknown to sandbox

Endpoint Protection

Disable JavaScript in PDF viewers:

Adobe Reader/Acrobat:

Edit → Preferences → JavaScript
[ ] Enable Acrobat JavaScript

Impact: Breaks dynamic forms and calculations. Assess if business workflows require PDF JavaScript.

Protected View / Sandbox Mode:

Adobe Reader:

Edit → Preferences → Security (Enhanced)
[X] Enable Protected Mode at startup
[X] Enable Protected View for all files from potentially unsafe locations

Effect: PDF opens in restricted sandbox. Exploit must also escape sandbox to achieve full compromise.

Windows Defender Application Guard: Open untrusted PDFs in isolated Hyper-V container. Even if exploit succeeds, malware is contained.

Browser PDF Viewer Hardening

Disable PDF auto-preview:

Chrome:

chrome://settings/content/pdfDocuments
[ ] Download PDF files instead of automatically opening them

Firefox:

about:preferences#applications
PDF Document → Use [Ask every time]

Effect: User must explicitly choose to open PDF. Provides opportunity to assess risk before rendering.

User Awareness Training

Train users to:

• Verify sender before opening PDF attachments
• Be suspicious of unexpected invoices, contracts, or resumes
• Check file properties (creation date, author) for anomalies
• Report suspicious PDFs to security team

Simulated phishing campaigns: Send benign malicious-looking PDFs, track who opens them, provide immediate training to clickers.

Organizational Defense Strategy

Comprehensive organizational approach to PDF exploit risk reduction.

Policy-Based Controls

Restrict PDF viewer options:

• Mandate Adobe Reader with Enhanced Security enabled
• Prohibit third-party PDF viewers lacking sandbox features
• Deploy enterprise GPO to enforce settings

Email attachment policies:

• Block password-protected encrypted PDFs (cannot be inspected)
• Require sender verification for unexpected PDF attachments
• Implement “external sender” warnings for emails with PDFs

Technical Controls

Email gateway sandboxing: All PDF attachments detonated before delivery. Minimum sandbox dwell time: 120 seconds.

Endpoint EDR monitoring:

Alert if PDF viewer process exhibits:
  - Child process creation (cmd.exe, powershell.exe)
  - Network connections to non-whitelisted IPs
  - File writes outside user's Documents folder
  - Registry modifications

Network egress filtering: Block PDF viewers from initiating outbound connections to internet (except vendor update servers).

Application isolation: Open PDFs in virtual desktop infrastructure (VDI) or application streaming. Isolate from corporate network.

Vulnerability Management

Patch aggressively:

• Adobe releases patches monthly (Patch Tuesday, second Tuesday of each month)
• Chrome/Firefox update automatically (ensure auto-update is not disabled)
• Monitor CVE feeds for PDF viewer vulnerabilities

Vulnerability scanning: Use Qualys, Nessus, or Rapid7 to identify endpoints with outdated PDF viewers. Enforce patching SLA: Critical vulnerabilities patched within 7 days.

Summary

PDF zero-click exploits weaponize document parsers to achieve remote code execution without user interaction beyond opening a file, making them particularly dangerous in organizational environments.

Key Takeaways:

• Zero-click means no link clicking or macro enabling—simply opening triggers exploit
• Common vulnerability types: buffer overflows in fonts, JavaScript engine bugs, use-after-free in object handling
• Recent high-profile exploits: CVE-2024-20767 (Adobe), CVE-2024-4947 (Chrome), CVE-2025-XXXXX (Apple Preview)
• Detection requires sandboxed email inspection and EDR behavioral monitoring
• Prevention requires disabling PDF JavaScript, enabling protected view, and aggressive patching

Defensive Strategy:

• Layer 1: Email gateway with sandbox detonation (Proofpoint, FireEye)
• Layer 2: Disable JavaScript in PDF viewers organization-wide
• Layer 3: Enable Protected Mode/Sandbox in PDF readers
• Layer 4: EDR monitoring for PDF viewer anomalous behavior
• Layer 5: Network segmentation preventing PDF viewer outbound connections

When to Worry:

• PDF JavaScript enabled organization-wide (required for forms, but high risk)
• No email sandbox inspection for PDF attachments
• Users routinely receive PDFs from external parties (invoices, contracts, resumes)
• Endpoints running outdated Adobe Reader (6+ months behind on patches)
• No EDR monitoring PDF viewer process behavior

When You’re Protected:

• Email gateway sandboxes all PDF attachments before delivery
• PDF JavaScript disabled via GPO/MDM across organization
• Adobe Reader configured with Enhanced Security and Protected View
• EDR alerts on PDF viewer child processes or unexpected network connections
• Vulnerability management enforces 7-day SLA for critical PDF viewer patches
• Users trained to report suspicious PDFs via phishing button

Risk Assessment:

Combine multiple controls for defense in depth. No single control provides complete protection against zero-days.

Sources

1. Adobe Security Bulletins - APSB24-07 (CVE-2024-20767)

2. Chrome Releases - CVE-2024-4947 (May 2024)

3. CVE Details - PDF Viewer Vulnerabilities Database

4. MITRE ATT&CK - T1566.001: Phishing Spearphishing Attachment

5. NIST - Guide to Malware Incident Prevention (SP 800-83)

6. Checkpoint Research - PDF Exploits Analysis 2024

7. Kaspersky - Targeted Attacks Using PDF Exploits

8. FireEye - APT Groups Leveraging PDF Weaponization

9. Proofpoint - Email Threat Defense: PDF Analysis

10. Adobe - Configuring Protected Mode

11. CISA - Malicious PDF Analysis Best Practices

12. SANS - PDF Malware Analysis Methodology

Important Links

1. Adobe Security Bulletins - Monthly PDF reader patches

2. PDF Stream Dumper - PDF analysis and forensic tool

3. Didier Stevens PDF Tools - PDF malware analysis suite

4. Proofpoint Targeted Attack Protection - Email sandbox

5. FireEye Email Security - Advanced threat protection

6. Adobe Reader Protected Mode - Sandbox configuration

7. Windows Defender Application Guard - Hyper-V isolation

8. VirusTotal - Scan suspicious PDFs before opening

9. Hybrid Analysis - Free malware sandbox for PDFs

10. YARA Rules for PDF Malware - Detection signatures