Login Sign Up

CVE-2020-10902

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Foxit PhantomPDF installations by tricking users into opening malicious PDF files containing specially crafted U3D objects. The flaw exists due to improper validation of user-supplied data, leading to out-of-bounds memory reads that can be leveraged for code execution. All users of affected Foxit PhantomPDF versions are at risk.

💻 Affected Systems

Products:
  • Foxit PhantomPDF
Versions: 9.7.1.29511 and earlier versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with default configurations are vulnerable. User interaction required (opening malicious PDF).

📦 What is this software?

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

Reader by Foxitsoftware

View all CVEs affecting Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through remote code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malicious actors deliver weaponized PDFs via phishing campaigns to execute malware or establish footholds in target environments.

🟢

If Mitigated

Limited impact with proper application sandboxing, memory protection mechanisms, and user awareness preventing malicious file execution.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction but no authentication. Weaponization likely due to PDF-based attack vectors being common in phishing campaigns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.7.2 or later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify version is 9.7.2 or higher.

🔧 Temporary Workarounds

Disable U3D support

windows

Disable U3D object processing in Foxit PhantomPDF settings

Navigate to Edit > Preferences > Security (Enhanced) > Disable U3D support

Use alternative PDF viewer

all

Temporarily use different PDF software until patched

🧯 If You Can't Patch

  • Implement application whitelisting to block unauthorized PDF execution
  • Deploy email filtering to block PDF attachments and use network segmentation

🔍 How to Verify

Check if Vulnerable:

Check Foxit PhantomPDF version in Help > About. If version is 9.7.1.29511 or earlier, system is vulnerable.

Check Version:

In Foxit PhantomPDF: Help > About

Verify Fix Applied:

Verify version is 9.7.2 or higher in Help > About. Test opening known safe PDF files with U3D content.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes in Foxit PhantomPDF
  • Unexpected process creation from Foxit processes
  • Memory access violation errors in application logs

Network Indicators:

  • PDF file downloads from suspicious sources
  • Outbound connections from Foxit processes to unknown IPs

SIEM Query:

source="*foxit*" AND (event_type="crash" OR process_name="*foxit*")

📊 Metadata

CVE ID: CVE-2020-10902
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125
Published: April 22, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-10902, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)