CVE-2019-20822
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code on systems running vulnerable versions of Foxit Reader or PhantomPDF with the 3D Plugin Beta enabled. An out-of-bounds write via incorrect image data can lead to remote code execution. Users of Foxit Reader or PhantomPDF with the 3D Plugin Beta before version 9.7.0.29430 are affected.
💻 Affected Systems
- Foxit Reader
- Foxit PhantomPDF
📦 What is this software?
3d by Foxitsoftware
3d by Foxitsoftware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.
Likely Case
Remote code execution leading to malware installation, data theft, or ransomware deployment on vulnerable systems.
If Mitigated
Limited impact if systems are patched, have application whitelisting, or run with minimal privileges.
🎯 Exploit Status
The vulnerability is in a widely used plugin with a high CVSS score, making it attractive for exploitation. Proof-of-concept code has been published.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.7.0.29430 or later
Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php
Restart Required: Yes
Instructions:
1. Download the latest version from Foxit's official website. 2. Run the installer. 3. Restart the system to ensure all components are updated.
🔧 Temporary Workarounds
Disable 3D Plugin Beta
allRemove or disable the vulnerable 3D Plugin Beta from Foxit Reader/PhantomPDF.
Navigate to Foxit installation directory, locate and remove the 3D plugin files or disable via application settings.
Application Whitelisting
windowsUse application whitelisting to block execution of Foxit Reader/PhantomPDF until patched.
Configure Windows AppLocker or similar tools to block Foxit executables.
🧯 If You Can't Patch
- Isolate affected systems from the internet and restrict network access.
- Run Foxit Reader/PhantomPDF with minimal user privileges and in a sandboxed environment.
🔍 How to Verify
Check if Vulnerable:
Check Foxit Reader/PhantomPDF version and verify if 3D Plugin Beta is installed. Version below 9.7.0.29430 with the plugin indicates vulnerability.Check Version:
In Foxit Reader/PhantomPDF, go to Help > About to view version details.Verify Fix Applied:
Confirm version is 9.7.0.29430 or later and the 3D Plugin Beta has been updated or removed.📡 Detection & Monitoring
Log Indicators:
- Unexpected crashes of Foxit Reader/PhantomPDF
- Process creation from Foxit executables with unusual parameters
Network Indicators:
- Outbound connections from Foxit processes to unknown IPs
- Download of suspicious files triggered by Foxit
SIEM Query:
Process creation where parent process contains 'foxit' and command line includes unusual arguments or network connections.