Login Sign Up

CVE-2020-10897

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files containing specially crafted U3D objects. It affects Foxit PhantomPDF users running version 9.7.1.29511, enabling attackers to gain control of the victim's system through a memory corruption flaw.

💻 Affected Systems

Products:
  • Foxit PhantomPDF
Versions: 9.7.1.29511
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user interaction to open malicious PDF file. All default configurations are vulnerable.

📦 What is this software?

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

Reader by Foxitsoftware

View all CVEs affecting Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to data exfiltration, installation of persistent malware, or credential harvesting from the compromised system.

🟢

If Mitigated

Limited impact with proper application sandboxing and memory protection mechanisms preventing successful exploitation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires social engineering to deliver malicious PDF but no authentication needed once file is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.7.2 or later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify version is 9.7.2 or higher.

🔧 Temporary Workarounds

Disable U3D object processing

windows

Configure Foxit PhantomPDF to disable U3D object rendering in PDF files

Edit registry: HKEY_CURRENT_USER\Software\Foxit Software\PhantomPDF\Preferences\Security\EnableU3D = 0

Use alternative PDF viewer

all

Temporarily use a different PDF reader that is not vulnerable

🧯 If You Can't Patch

  • Implement application whitelisting to block execution of Foxit PhantomPDF
  • Deploy email/web filtering to block PDF files and implement user awareness training about opening suspicious attachments

🔍 How to Verify

Check if Vulnerable:

Check Help > About in Foxit PhantomPDF for version number. If version is 9.7.1.29511, system is vulnerable.

Check Version:

wmic product where name="Foxit PhantomPDF" get version

Verify Fix Applied:

Verify version is 9.7.2 or higher in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes of Foxit PhantomPDF
  • Unusual process creation from Foxit processes
  • Memory access violation events in Windows Event Logs

Network Indicators:

  • Outbound connections from Foxit processes to unknown IPs
  • DNS requests for suspicious domains following PDF file opening

SIEM Query:

source="Windows Security" EventCode=4688 NewProcessName="*foxit*" | stats count by host

📊 Metadata

CVE ID: CVE-2020-10897
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: April 22, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-10897, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)