A high-severity vulnerability has been discovered in multiple Foxit products that could allow an attacker to take full control of a user's computer. This flaw is triggered when a user opens a specially crafted malicious PDF file, which could lead to data theft, malware installation, and further network compromise. Immediate patching is required to mitigate this significant risk.

This vulnerability is an Out-Of-Bounds Read that occurs during the parsing of PRC (Product Representation Compact) files embedded within a PDF document. An attacker can craft a malicious PRC object that, when processed by a vulnerable version of Foxit software, causes the application to read data from outside its intended memory buffer. This memory corruption can be leveraged by the attacker to crash the application, disclose sensitive information from memory, or, most critically, achieve remote code execution (RCE) in the security context of the user who opened the file.

This is a High severity vulnerability with a CVSS score of 7.8. Successful exploitation could lead to a complete compromise of the affected user's workstation. The business impact includes the potential for data exfiltration of sensitive corporate information, deployment of ransomware or spyware, and the use of the compromised system as a foothold to launch further attacks against the internal network. A compromise originating from a widely used application like a PDF reader can undermine user trust and lead to significant operational disruption and data loss.

Immediate Action: Apply the security patches released by Foxit immediately to all workstations with vulnerable software installations. Prioritize patching for systems used by high-risk users or those handling sensitive data. Security teams should actively monitor for signs of exploitation and review application and system logs for any anomalous activity related to Foxit PDF Reader.

Proactive Monitoring: Implement monitoring to detect potential exploitation attempts. Look for application crash logs from Foxit processes, which could indicate a failed exploit. Use Endpoint Detection and Response (EDR) solutions to monitor for suspicious child processes being spawned by Foxit PDF Reader (e.g., FoxitPDFReader.exe launching cmd.exe or powershell.exe). Monitor network traffic for unusual outbound connections from workstations immediately after a PDF file has been opened.

Compensating Controls: If patching cannot be immediately deployed, implement the following controls to reduce risk:

• Configure email and web security gateways to scan and block PDF files containing malicious or malformed PRC objects.
• Use application control or whitelisting to prevent Foxit processes from executing unauthorized commands or creating new executable files.
• Enforce user awareness training, reminding employees to be cautious and not open PDF attachments or links from untrusted or unsolicited sources.

Public Exploit Available: false

This vulnerability presents a significant risk and requires immediate attention. The primary recommendation is to prioritize the deployment of the vendor-supplied patches across all affected systems within the organization. Although CVE-2025-9326 is not currently on the CISA KEV list, its high CVSS score and potential for remote code execution warrant treating it with the urgency of an actively exploited threat. Security teams should concurrently enhance monitoring capabilities to detect any post-patching exploitation attempts against unpatched systems.