Login Sign Up

CVE-2020-10895

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files containing specially crafted U3D objects. It affects Foxit PhantomPDF users running version 9.7.1.29511. The flaw exists due to improper validation of user-supplied data, leading to out-of-bounds memory reads.

💻 Affected Systems

Products:
  • Foxit PhantomPDF
Versions: 9.7.1.29511
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: User interaction required - victim must open malicious PDF file or visit malicious webpage embedding PDF content.

📦 What is this software?

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

Reader by Foxitsoftware

View all CVEs affecting Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malicious code execution in the context of the current user, enabling data exfiltration, credential theft, or installation of additional malware.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash but not full system compromise.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires social engineering to deliver malicious PDF but no authentication needed once file is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.7.2 or later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify version is 9.7.2 or higher.

🔧 Temporary Workarounds

Disable U3D support

windows

Disable U3D object rendering in Foxit PhantomPDF settings

Open Foxit PhantomPDF > Preferences > Security > Disable U3D support

Use alternative PDF viewer

all

Temporarily use different PDF software until patched

🧯 If You Can't Patch

  • Restrict user privileges to standard user accounts (not administrator)
  • Implement application whitelisting to prevent unauthorized executables

🔍 How to Verify

Check if Vulnerable:

Check Foxit PhantomPDF version in Help > About. If version is exactly 9.7.1.29511, system is vulnerable.

Check Version:

wmic product where name="Foxit PhantomPDF" get version

Verify Fix Applied:

Verify version is 9.7.2 or higher in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory access violations
  • Unexpected child processes spawned from Foxit PhantomPDF

Network Indicators:

  • Outbound connections from Foxit PhantomPDF to unknown IPs
  • DNS requests for suspicious domains after PDF opening

SIEM Query:

process_name="FoxitPhantomPDF.exe" AND (event_id=1000 OR child_process_creation=true)

📊 Metadata

CVE ID: CVE-2020-10895
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125
Published: April 22, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-10895, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)