EXPMON

Correction: Adobe has informed us that they previously made a mistake with the CVSS score and have now corrected it to 8.6. This reflects the fact that the vulnerability is triggered via a local file-opening attack vector. Please note that this does not reduce the urgency of the issue and users should continue to apply the patch as soon as possible in order to prevent potential attacks.

Adobe has confirmed our findings and has issued an emergency security update for all Adobe Reader (and other affected products) users. helpx.adobe.com/security/produ… The underlying exploited zero-day vulnerability has been rated Critical (CVSS 9.6) and is tracked as CVE-2026-34621. It appears that Adobe has determined the bug can lead to arbitrary code execution — not just an information leak. This aligns with our findings and those of other security researchers over the last few days. EXPMON would like to thank Adobe for releasing this emergency security update quickly to help protect users. UPDATE NOW! #expmon #zeroday #0day #pdf #adobereader #CVE-2026-34621

"Adobe has advised that the security update should be installed within 72 hours."., from Media coverage: forbes.com/sites/daveywin…

Fun fact about the Adobe Reader 0day: actually, it's the "AdobeCollabSync.exe" ("C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe") process who communicates to the attacker-controller server, not the "Acrobat.exe". Therefore, if you're hunting the threat with your e.g EDR telemetry, you may want to look at that "AdobeCollabSync.exe" process too. #threatintel

Update: I've just confirmed this (x.com/HaifeiLi/statu…) is a real variant, it connects to 188.214.34.20:34123. So it's confirmed that this PDF 0day/APT campaign has been ongoing for at least 5 months!

Dear security community/researchers, I'd really like to call to look at this x.com/greglesnewich/…, this information shows that the threat actors behind this Adobe Reader 0day attack was not just collecting local information but was really delivering additional exploits, need more analysis to figure out what the exploit really is. I'm one person and not have enough time to working on all the things.. Another earlier sample found today (virustotal.com/gui/file/54077…), which appeared on VT on 2025-11-28, shows that this APT campaign has been ongoing for at least 5 months, showing how serious this threat is. #pdf #zeroday #0day #threatintel #apt

Whoa! This does seem to be a variant if you look at the Relations on VT, and this sample appeared on VT since 2025-11-28, (if confirmed) showing how long this advanced zero-day attack campaign has been ongoing! However, I don't have a VT account, could someone share the sample w/ me or just submit it to pub.expmon.com ? Thanks! x.com/greglesnewich/…

** ZERO-DAY ALERT ** EXPMON detected sophisticated zero-day fingerprinting attack targeting Adobe Reader users justhaifei1.blogspot.com/2026/04/expmon… #expmon #zeroday #0day #threatintel #pdf #adobereader #acrobat #cybersecurity

Here is another "0day crash" sample detected by EXPMON that was later found to be non-exploitable (a previous one in WPS Office: x.com/EXPMON_/status…). Check out this sample detected in mid-January: pub.expmon.com/analysis/30938… This is a highly suspicious crash in LibreOffice Impress, affecting the latest version. The crash occurs within the "soffice.bin" process (note: not the "soffice.exe" process), as shown in below picture. Although I noted this detection back in January, I was tied up with other findings (primarily my Office fuzzing project). I later submitted the case to the ZDI program. Their team helped with the triage and confirmed that this is a non-exploitable crash - even though it occurs within a very suspicious "memcpy()" function. I'd like to thank the ZDI researchers for their time and effort in analyzing this bug. If you are a LibreOffice developer looking to patch this "non-exploitable-but-still-ugly" bug, or a researcher interested in the technical details, you can download the sample here: drive.google.com/file/d/1UIEpNz… (password: "infected"). Enjoy! Yeah, from time to time EXPMON detects various suspicious things even in public samples - not necessarily "0day attacks", but sometimes "0day bugs". :) #expmon #exploitdetection #threatintel #libreoffice

If you're into WPS Office security research, this might be an interesting sample, submitted by someone couple weeks ago pub.expmon.com/analysis/31493…. Not saying it's def. an exploit, but it does have an OLESS stream containing maybe some malicious WPS-specific Macros. No time to dig more for me, new to WPS. #expmon #threatintel

A "wild" submission on EXPMON! On January 17, a suspicious RTF sample was submitted to EXPMON (pub.expmon.com). pub.expmon.com/analysis/31128… While the EXPMON system didn't immediately flag it as "Malicious", it reported multiple highly suspicious Indicators — such as the "suspicious process started from users folder", and the "suspicious process created by main". These Indicators allowed me (and other researchers) to quickly zero in on and investigate the sample. Upon analysis, I've confirmed that it triggered an unpatched crash on the latest version of WPS Office. Since I found no suspicious payload within the sample, I reported it as a potential vulnerability via the ZDI program. Thanks to the ZDI researchers, it was confirmed last week that the crash is technically non-exploitable. Therefore, I am now disclosing the full details. The sample is available for download here (password: "infected"): drive.google.com/file/d/1zBruA0…, so other researchers can investigate this interesting crash. The crash looks like the following attached picture shows. This case once again demonstrates EXPMON's capabilities — not only in detecting in-the-wild zero-day exploits but also in identifying minor suspicious behaviors from an exploit/vulnerability perspective. I have also updated the Detection Logic for WPS to ensure immediate reporting when a suspicious WPS application crash is detected. You can view the re-submission of the sample here: pub.expmon.com/analysis/314933. Some interesting points regarding this submission.. 1. This is the first WPS crash that EXPMON detected since EXPMON covered the WPS Office software in January (justhaifei1.blogspot.com/2026/01/major-…). 2. This is not a normal sample, but a manmade/crafted one, a crash PoC. 3. While this is probably not exploitable, it still looks ugly (an integer overflow?). If you're the vendor (WPS), you may want to patch it. 4. No idea who submitted this, and EXPMON does not track any submitter information. And, yeah, I noted the string message in the sample.. Anyway, thanks for testing EXPMON, I guess.. #expmon #zeroday #0day #wps #threatintel

No idea who submitted this* but this is a “zero-day but probably non-exploitable crash” which could be triggered on the latest WPS Office software (which is popular especially in Asia), and there’s a wild message in the sample seems to me (?). Since this is non-exploitable crash and no payload found, full disclosure soon. pub.expmon.com/analysis/31128… * EXPMON does not track any information of the submitter, only receive samples. #expmon #0day #zeroday #wps #exploitdetection

EXPMON has been updated to v20260203! This is a Detection Logic update, to provide more accurate & deeper decisive Detection Result against the ongoing Microsoft Office zero-day exploits CVE-2026-21509, an improvement of yesterday's v20260202 Detection Logic update. Now it should give decisive Detection Result even for PoC level exploits. An example is pub.expmon.com/analysis/31164…, this is a minimal PoC for this CVE-2026-21509 zero-day vulnerability - now detected & reported. #expmon #CVE-2026-21509 #office #zeroday #0day #ThreatIntel

EXPMON has been updated to v20260202! This is a Detection Logic update, to provide decisive Detection Result against the ongoing Microsoft Office zero-day exploits CVE-2026-21509. For example, below are two real, in-the-wild samples of the Office 0day which were just disclosed today: pub.expmon.com/analysis/31163… pub.expmon.com/analysis/31163… Previously, these samples were detected only via the Indicators (see x.com/HaifeiLi/statu…). Since this update, they will now be classified/shown as "Malicious - potential exploit CVE-2026-21509", easier for users to identify the threat. Enjoy the hunting!:) #expmon #CVE-2026-21509 #office #zeroday #0day #threatintel

Someone submitted the real CVE-2026-21509 sample to EXPMON last night! Check out this submission: pub.expmon.com/analysis/31163… The SHA256 of the sample, it's a RTF file: c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f While EXPMON didn't report the 0day immediately - this is well expected, it reported various highly suspicious Indicators, including the key Indicator named "activex compatibility shellexplorer registry key accessed". I shared how to use this key Indicator on EXPMON to hunt the 0day just days ago: x.com/HaifeiLi/statu…. That's enough to investigate it manually in your local env, and I have just confirmed this is indeed the CVE-2026-21509 zero-day exploit! My quick analysis showed that this is the initial attack vector sample in a full attacking chain. Thanks to EXPMON logs, I quickly found that the RTF file was trying to load the IE engine (the "ieframe.dll") while also trying to connect to the threat actor controlled server, one of the url is "\\wellnesscaremed[.]com\davwwwroot\venezia\Favorites\blank.doc" (see the pic attached) - all activities are automatic, meaning as soon as the victim open the Word document, the victim could be pwned. There're not just one but quite serveral OLE objects in the RTF which are, to be honest, quite sophisticated, showing the sophistication of the zero-day attack. Full details haven't been fully understood in such a short time. The same sample was also listed/confirmed by the Ukrainian CERT cert.gov.ua/article/6287250 independently, there're more details in that article please go check out. What a wild story! Thank you very much to the person who submitted the sample (and I received your message about adding the "unzip" feature:))! Once again it confirmed the effectiveness of the EXPMON system when it comes to detecting unknown 0day exploits. Quickly, for defenders: 1. Please research all the things starting from the sample, this is the confirmed CVE-2026-21509 0day intinal attack vector sample, and add detections (currently the detection ratio on VT is pretty low) in the full chain. 2. If you're an Microsoft Office user, please apply Microsoft's official patch or workarounds ASAP msrc.microsoft.com/update-guide/v…, as now the attacking exploit is well known so attacks are expected to increase rapidly. For me, there's more work to do, including an EXPMON update for determinate detection against this 0day exploits. In the meantime, if you see the "activex compatibility shellexplorer registry key accessed" Indicator on EXPMON, please be cautions because that's likely the 0day sample/variants. #CVE-2026-21509 #expmon #0day #zeroday #exploit #threatintel

Protip for @EXPMON_ : if you have a bunch of suspicious samples to submit, you can use this script to do that github.com/EXPMON/PubTool…, like what I'm doing right now. Zipping them into a .zip & submitting may work too but using the script is cleaner (easy to see each detection).

A quick update for hunting the CVE-2026-21509 0day sample.. Weird (and good) stuff! - my EXPMON system has an existing Indicator Logic specifically detecting "shellexplorer" (the same {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}, "shellexplorer" is the progid name) OLE/COM/ActiveX object, which is the key to look for potential CVE-2026-21509 0day! And I have forgotten why I wrote that detection logic in the first place, really..😅 But anyway, if you spot a sample which was detected with such an Indicator on @EXPMON_ , then it could be a very good candidate! See this example pub.expmon.com/analysis/31153…, the Indicator's name is "activex compatibility shellexplorer registry key accessed". Please note that even the sample is not detected ("Undetected"), as long as it's detected w/ such Indicator, it could still be the 0day. You then test in an unpatched env to see what's going on. Please note that you should not connect your testing VM to the Internet because once you connect to the Internet Office will get patched automatically with some server-side configuration which is already deployed according to Microsoft's advisory. Or, you can let me know your submission, I have a VM ready for testing. Happy hunting! :)

Fun, the new "suspicious 0day" on @EXPMON_ (pub.expmon.com/analysis/31153…) was submitted by @wdormann, I just confirmed this is an "intentional crash" - means it was likely a real vuln but got patched by Microsoft Office team (and yeah, they left with an non-exploitable crash to troll you Office security researchers, I know..). I'm posting this so you don't have to be overexcited.:)

Dear community, since there's an ongoing Office zero-day attack (CVE-2026-21509) in the wild, if you're encountering suspicious Office files (e.g. email attachments), you may also want to submit them to the EXPMON system (pub.expmon.com). There's no guarantee it will detect the 0-day immediately (since this is for unknown 0days), but it does allow me to perform future retrospective Big Data analytics - which, in fact, usually recognizes 0-days at a later time - and so helps improve/refine the detection logic. Thanks!

Yesterday, after releasing the updated @EXPMON_ system to the public (justhaifei1.blogspot.com/2026/01/major-…), I ran a task to submit a batch of public samples for testing. Interestingly, the system quickly detected an application crash in LibreOffice Impress (the app responsible for handling PowerPoint files). The submission can be found here: pub.expmon.com/analysis/30541… The sample is also on VirusTotal, or contact me I can send you the sample. I then did a quick & manual test on the latest LibreOffice version (25.8.4), and it seems to me this is a null pointer dereference bug rather than an exploitable one. However, I still recommend that folks from the LibreOffice team take a closer look (just to be sure, because mine was a very quick analysis), and fix the crash (it's not ideal for your application to crash when processing a file). This demonstrates the power of the EXPMON system, as you can find interesting stuff in an automatic manner. :) #expmon #LibreOffice #vulnerability #freebug