If your business uses Adobe Acrobat or Acrobat Reader — and the vast majority of UK small businesses do — you need to act today. Adobe has issued an emergency security update to fix a critical vulnerability that attackers are already exploiting in the wild. This isn't a theoretical risk; it's happening right now.
The flaw, tracked as CVE-2026-34621, carries a severity score of 8.6 out of 10. An attacker can craft a malicious PDF that, when opened in an unpatched version of Acrobat Reader, runs harmful code on your machine — potentially giving them access to your files, your network and your customer data.
Why Should Small Businesses Care?
PDFs are the backbone of modern business communication. Invoices, contracts, purchase orders, HR documents — they all travel as PDFs. Attackers know this, and they know that small businesses often lack the dedicated IT teams that larger organisations rely on to keep software up to date.
This makes SMBs particularly vulnerable. A single employee opening a poisoned PDF attachment from a convincing phishing email could compromise your entire operation. The consequences range from data theft and ransomware to regulatory fines under UK GDPR for failing to protect personal data.
If you're unsure whether your business is prepared for threats like this, our free cyber security assessment can help you identify gaps before attackers do.
What Exactly Is the Vulnerability?
The technical term is prototype pollution — a type of flaw in the JavaScript engine used within Acrobat Reader. In plain English, it means an attacker can manipulate how the software processes data inside a PDF, tricking it into executing malicious commands.
The vulnerability affects both Windows and macOS versions of the following products:
- Acrobat DC — versions 26.001.21367 and earlier
- Acrobat Reader DC — versions 26.001.21367 and earlier
- Acrobat 2024 — versions 24.001.30356 and earlier
Security researcher Haifei Li of EXPMON first disclosed the zero-day exploitation of this flaw, with evidence suggesting it may have been exploited by threat actors since as early as December 2025. That means attackers have had months of head start.
What You Need to Do Immediately
The good news is that Adobe has released patched versions. Here is what you should do today:
- Update every copy of Acrobat and Acrobat Reader across your business. Open the application, go to Help > Check for Updates, and install what's available.
- Check your version numbers. You need to be on at least version 26.001.21411 for Acrobat DC and Reader DC, or 24.001.30362 (Windows) / 24.001.30360 (macOS) for Acrobat 2024.
- Warn your team. Send a company-wide message reminding staff not to open unexpected PDF attachments, especially from unknown senders.
- Enable automatic updates so you're protected against future vulnerabilities without having to remember to check manually.
For a broader look at how to keep your software estate secure, read our guide on patch management essentials for small businesses.
Beyond the Patch: Building Resilience
Patching this one vulnerability is essential, but it's only part of the picture. Attackers constantly discover new flaws, and small businesses need a layered approach to security:
- Email filtering: Block malicious attachments before they reach inboxes. A quality email security solution can catch many weaponised PDFs automatically.
- Endpoint protection: Modern antivirus and endpoint detection tools can identify and stop exploit attempts even if a user opens a malicious file.
- Staff awareness training: Your people are your first line of defence. Regular security awareness training dramatically reduces the chance of someone falling for a phishing attack.
- Backup and recovery: If the worst happens, a reliable backup strategy means you can recover without paying a ransom or losing critical data.
The UK's National Cyber Security Centre offers excellent free guidance for small businesses through their Cyber Essentials scheme, which covers these fundamentals and more.
The Bigger Picture
This Adobe vulnerability is a stark reminder that cyber threats don't discriminate by company size. In fact, the 2026 UK small business threat landscape shows that SMBs are increasingly targeted precisely because attackers expect weaker defences.
The cost of a breach for a small business can be devastating — not just financially, but in terms of customer trust and reputation. Taking proactive steps now, starting with this critical Adobe update, is far cheaper and less painful than dealing with the aftermath of an attack.
Cyber security isn't a one-off task — it's an ongoing commitment to protecting your business, your staff and your customers.
Not Sure If Your Business Is Protected?
Our managed cyber security packages are designed specifically for UK small businesses. We handle the patching, monitoring and response so you can focus on running your business.
View pricing plans