A high-severity vulnerability exists within the Foxit PDF Reader's update service that could allow a local attacker to gain complete control over an affected system. An authenticated user with basic permissions could exploit this flaw to escalate their privileges to the highest level, enabling them to install malware, steal sensitive data, or compromise the entire workstation.

This vulnerability is an Uncontrolled Search Path Element, commonly known as DLL Hijacking. The Foxit PDF Reader Update Service, which typically runs with elevated (SYSTEM) privileges, attempts to load a required library (DLL) or executable without specifying a secure, absolute path. An attacker with low-level user access can place a malicious file with the same name in a location that the application searches before the legitimate file's directory. When the update service is triggered, it will inadvertently load and execute the attacker's malicious code with SYSTEM-level privileges, leading to a full system compromise.

This vulnerability is rated as High severity with a CVSS score of 7.8. A successful exploit would allow a low-privileged user to escalate their privileges to that of an administrator on the local machine. This could have significant business consequences, including the theft or modification of sensitive corporate data, the deployment of ransomware or other malware, and the use of the compromised system as a pivot point for lateral movement to attack other critical assets on the network. This undermines the principle of least privilege and can turn a minor user account compromise into a full-scale system breach.

Immediate Action:

• Patching: Apply the security updates provided by Foxit across all affected workstations and servers immediately. Prioritize systems accessible by a broad user base.
• Access Control Review: Audit user permissions on endpoints to ensure the principle of least privilege is enforced. Standard users should not have write permissions to system directories or application installation folders.

Proactive Monitoring:

• Endpoint Detection and Response (EDR): Monitor for suspicious process creation events originating from the Foxit update service process (e.g., FoxitUpdater.exe). Pay close attention to the loading of DLLs from unusual or user-writable locations like C:\Windows\Temp\ or user profile directories.
• File Integrity Monitoring (FIM): Implement FIM to alert on the creation of new DLL or EXE files in the Foxit application directories by unprivileged users.
• Log Analysis: Review Windows Event Logs for signs of privilege escalation, such as a user account being unexpectedly added to the local Administrators group.

Compensating Controls:

• Application Whitelisting: Deploy application control solutions (e.g., Windows Defender Application Control, AppLocker) to prevent the execution of unauthorized executables or libraries from non-standard paths.
• Harden Search Paths: If possible, modify system environment variables to remove user-writable directories from the system's DLL search order, although this can have unintended consequences.

Public Exploit Available: false

Given the high CVSS score of 7.8 and the widespread deployment of Foxit products in enterprise environments, this vulnerability poses a significant risk. A successful exploit would grant an attacker complete control over a compromised endpoint, bypassing existing security controls. Although this vulnerability is not currently listed on the CISA KEV catalog, it should be prioritized for immediate remediation. We strongly recommend that organizations apply the vendor-supplied patches to all affected systems without delay to prevent potential exploitation.