A high-severity vulnerability has been identified in multiple Foxit products, allowing for remote code execution. An attacker could exploit this by tricking a user into opening a specially crafted PDF file, which could allow the attacker to take full control of the affected system, leading to data theft, malware installation, or further network intrusion.

The vulnerability is an Out-Of-Bounds Read condition that occurs when a vulnerable version of Foxit software parses a malformed PRC (Product Representation Compact) file, which can be embedded within a PDF document. An attacker can create a malicious PRC file that causes the application to read data from outside of its intended memory buffer. This memory corruption can be leveraged by an attacker to divert the program's execution flow, ultimately leading to arbitrary code execution in the context of the current user. Exploitation requires a user to open the malicious file.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could have a significant business impact, allowing an attacker to execute arbitrary code with the privileges of the user running the Foxit application. This could lead to the compromise of sensitive corporate data, deployment of ransomware, installation of persistent backdoors for long-term access, or using the compromised machine as a pivot point to attack other internal network resources. The risk is elevated for organizations where employees frequently open PDF documents from external sources, such as email attachments or web downloads.

Immediate Action: Apply the security patches released by Foxit to all affected systems immediately. Priority should be given to systems that interact with external documents, such as user workstations. In parallel, security teams should actively monitor for signs of exploitation, such as unexpected application crashes or suspicious child processes spawning from Foxit applications, and review relevant system and network access logs.

Proactive Monitoring: Implement enhanced monitoring to detect potential exploitation attempts. This includes monitoring for abnormal process behavior from Foxit Reader/Editor executables (e.g., launching cmd.exe or powershell.exe), inspecting network traffic for unusual outbound connections from workstations after a PDF has been opened, and configuring EDR/antivirus solutions to alert on memory corruption or code injection techniques.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Educate users about the threat and advise them not to open PDF files from untrusted or unsolicited sources.
• Use application control solutions to prevent Foxit products from creating child processes.
• Ensure web and email security gateways are configured to scan and block malicious PDF files.
• Restrict user permissions to limit the potential impact of a successful exploit.

Public Exploit Available: False

Given the high severity (CVSS 7.8) and the potential for complete system compromise, it is strongly recommended that organizations prioritize the deployment of the vendor-supplied patches for CVE-2025-9329 across all affected endpoints. Although there is no evidence of active exploitation at this time, the risk of future exploitation is high. Organizations should treat this as a critical vulnerability and aim to complete patching within their standard critical vulnerability remediation timelines.