A high-severity vulnerability has been identified in multiple Foxit software products, which could allow an attacker to take full control of a user's system. This is achieved by tricking a user into opening a specially crafted PDF file, which can lead to remote code execution, posing a significant risk of data theft, malware infection, and system compromise.

This vulnerability is an Out-Of-Bounds Read condition within the PRC (Product Representation Compact) file parsing engine of Foxit PDF Reader. An attacker can craft a malicious PRC object and embed it within a PDF document. When a user opens this document, the vulnerable software attempts to read data beyond the boundary of an allocated memory buffer, which can be leveraged by the attacker to corrupt memory and execute arbitrary code with the privileges of the current user.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could lead to a complete compromise of the affected endpoint, allowing an attacker to install malware (such as ransomware or spyware), exfiltrate sensitive corporate or personal data, and use the compromised machine as a pivot point to move laterally within the network. The potential business impact includes data breaches, financial loss, operational disruption, and significant reputational damage.

Immediate Action: Apply the security patches released by Foxit immediately, prioritizing all endpoints where the affected software is installed. For internet-facing systems or those handled by users who frequently interact with external documents, this action is critical. Concurrently, monitor for signs of exploitation by reviewing application and system logs for any unusual activity originating from Foxit processes.

Proactive Monitoring: Security teams should configure monitoring and alerting for suspicious process chains originating from Foxit PDF Reader (e.g., FoxitPDFReader.exe spawning powershell.exe, cmd.exe, or other unexpected processes). Monitor network traffic for unusual outbound connections from workstations running Foxit products. Endpoint Detection and Response (EDR) solutions should be tuned to detect memory corruption and process injection techniques.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Use application control solutions to prevent Foxit Reader from launching child processes like command-line interpreters or scripts.
• Enforce email and web security gateway policies to scan for and block or quarantine PDF files from untrusted sources.
• Educate users on the risks of opening unsolicited attachments and links, even if they appear to be standard documents.

Public Exploit Available: false

Due to the high severity (CVSS 7.8) and the critical risk of remote code execution, this vulnerability requires immediate attention. Organizations are strongly advised to prioritize the deployment of vendor-supplied security patches across all affected endpoints to mitigate this threat. While this vulnerability is not currently listed on the CISA KEV catalog, its high potential for exploitation warrants treating it with the same urgency as a known exploited vulnerability. Continue to monitor for any changes in its exploitation status and apply compensating controls where patching is delayed.