A high-severity vulnerability has been identified in multiple Foxit PDF products, which could allow an attacker to execute malicious code on a user's system. Exploitation occurs when a user opens a specially crafted PDF file, potentially leading to a full system compromise, data theft, or a denial-of-service condition. Immediate patching is required to mitigate the significant risk posed by this flaw.

The vulnerability is a use-after-free error within the software's component for handling AcroForms (interactive PDF forms). An attacker can craft a malicious PDF document with a specially designed AcroForm that, when processed by a vulnerable version of the software, causes the application to reference a portion of memory that has already been deallocated. This memory corruption can be leveraged by the attacker to hijack the application's control flow, leading to arbitrary code execution with the same permissions as the logged-in user. A failed exploitation attempt will likely result in the application crashing, causing a denial-of-service.

This vulnerability is rated as High severity with a CVSS score of 7.8, posing a significant risk to the organization. Successful exploitation could allow an attacker to gain initial access to a corporate workstation, which can be used as a beachhead for further lateral movement within the network. Potential consequences include the deployment of ransomware, installation of spyware to steal sensitive corporate or personal data, and complete compromise of the affected user's system. Such an incident could lead to operational disruption, financial loss, reputational damage, and regulatory penalties related to a data breach.

Immediate Action:

• Identify all endpoints with vulnerable versions of Foxit PDF Reader and Foxit PDF Editor installed.
• Deploy the security updates provided by the vendor to all affected systems immediately.
• Prioritize patching for users who frequently handle documents from external sources, such as finance, legal, and executive teams.
• Monitor security logs for any signs of attempted exploitation, such as unexpected application crashes or suspicious process behavior.

Proactive Monitoring:

• Endpoint Detection and Response (EDR): Monitor for FoxitPDFReader.exe or FoxitPDFEditor.exe processes spawning child processes such as cmd.exe, powershell.exe, or other unexpected executables.
• Application Logs: Review Windows Event Logs for an increase in application crashes related to Foxit software, which could indicate failed exploitation attempts.
• Network Traffic: Monitor for unusual outbound network connections from workstations originating from a Foxit process immediately after a user opens a PDF document.

Compensating Controls:

• User Awareness Training: Advise users to be cautious and not open PDF attachments from unverified or untrusted sources.
• Email Security Gateway: Configure email filters to scan and block or quarantine PDF attachments with suspicious characteristics.
• Application Hardening: Use Attack Surface Reduction (ASR) rules or similar application control technologies to block Office applications from creating child processes.
• Sandboxing: Encourage users to open untrusted PDF documents in a sandboxed environment or a virtual machine to contain any potential malicious activity.

Public Exploit Available: false

Immediate patching is the most critical and effective mitigation for this vulnerability. Given the high CVSS score of 7.8 and the prevalence of Foxit software in enterprise environments, this vulnerability presents a significant and immediate risk. Although it is not currently on the CISA KEV list, its potential for enabling remote code execution makes it a prime candidate for future exploitation. We strongly recommend that all organizations prioritize the deployment of vendor-supplied updates to all affected systems without delay to prevent potential system compromise.