A high-severity vulnerability has been identified in the update service for Foxit PDF Reader and Editor. This flaw allows a local attacker with standard user access to a system to gain full administrative privileges, potentially leading to a complete system compromise, data theft, or the deployment of ransomware. Immediate patching is required to mitigate this critical risk.

This vulnerability is a local privilege escalation (LPE) within the Foxit Update Service component. The service, which runs with elevated (SYSTEM) privileges, improperly handles file permissions or execution paths. An authenticated attacker with low-level user permissions can exploit this by placing a malicious executable or library in a location that the update service trusts and executes. When the update service runs, it will execute the attacker's malicious code with SYSTEM-level privileges, granting the attacker full control over the affected endpoint.

With a CVSS score of 8.8, this vulnerability is rated as High severity. Successful exploitation allows an attacker who has already gained an initial foothold on a system (e.g., through phishing or another vulnerability) to escalate their privileges to the highest level. This enables them to bypass all local security controls, install persistent malware or ransomware, exfiltrate sensitive corporate data, disable security software, and use the compromised machine as a pivot point to move laterally across the network, significantly increasing the scope and impact of a security breach.

Immediate Action:

• Deploy the security updates provided by Foxit to all affected versions of Foxit PDF Reader and Editor across the organization without delay.
• Perform a review of user permissions on endpoints to ensure the principle of least privilege is enforced, minimizing the opportunity for attackers to exploit local vulnerabilities.

Proactive Monitoring:

• Monitor endpoint logs for any suspicious processes being spawned by the Foxit Update Service (e.g., FoxitUpdater.exe).
• Implement file integrity monitoring on the Foxit application directories to detect unauthorized modifications or the creation of new executable files.
• Configure Endpoint Detection and Response (EDR) solutions to alert on processes attempting to gain SYSTEM-level privileges from a standard user context.

Compensating Controls:

• If immediate patching is not feasible, implement application control or whitelisting solutions to prevent the execution of unauthorized code from user-writable directories.
• Restrict user permissions to prevent writing to the Foxit installation and update directories.
• Enhance endpoint security monitoring with specific rules to detect and block anomalous behavior associated with the Foxit Update Service.

Public Exploit Available: false

Given the high CVSS score of 8.8, this vulnerability presents a critical risk to the organization. It allows an attacker to turn minor system access into a full system compromise. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a prime candidate for future inclusion. We strongly recommend that all affected Foxit software be patched immediately to prevent potential exploitation. Systems should be prioritized for patching based on their criticality and user access levels.