CVE-2020-13806 – CVE-2020-13806 is a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2020-13806?

CVE-2020-13806 has a CVSS score of 7.5 (HIGH). CVE-2020-13806 is a use-after-free vulnerability in Foxit Reader and PhantomPDF that occurs when JavaScript executes after document deletion or closure. This allows attackers to execute arbitrary code by tricking users into opening malicious PDF files. All users of affected Foxit software versions are vulnerable.

📋 TL;DR

CVE-2020-13806 is a use-after-free vulnerability in Foxit Reader and PhantomPDF that occurs when JavaScript executes after document deletion or closure. This allows attackers to execute arbitrary code by tricking users into opening malicious PDF files. All users of affected Foxit software versions are vulnerable.

💻 Affected Systems

Products:

Foxit Reader
Foxit PhantomPDF

Versions: All versions before 9.7.2

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: JavaScript execution must be enabled (default setting). All platforms running affected versions are vulnerable.

📦 What is this software?

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

Reader by Foxitsoftware

View all CVEs affecting Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the same privileges as the current user, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Malicious PDF files delivered via email or web downloads execute arbitrary code, install malware, or steal sensitive information from the victim's system.

🟢

If Mitigated

With proper security controls, exploitation attempts are blocked by endpoint protection, and user impact is limited to application crashes.

🌐 Internet-Facing: MEDIUM - Attackers can host malicious PDFs on websites or distribute via email, but requires user interaction to open the file.

🏢 Internal Only: MEDIUM - Internal phishing campaigns or shared malicious documents could exploit this vulnerability within organizational networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction to open a malicious PDF file. Multiple proof-of-concept examples exist in public repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.7.2 and later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download Foxit Reader/PhantomPDF 9.7.2 or later from official Foxit website. 2. Run the installer. 3. Follow installation prompts. 4. Restart the application and system if prompted.

🔧 Temporary Workarounds

Disable JavaScript in Foxit

all

Prevents JavaScript execution in PDF files, which blocks the exploitation vector

Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use alternative PDF reader

all

Temporarily switch to a different PDF reader application

🧯 If You Can't Patch

Implement application whitelisting to block unauthorized executables
Deploy endpoint detection and response (EDR) solutions to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Foxit version: Open Foxit Reader > Help > About Foxit Reader. If version is below 9.7.2, you are vulnerable.

Check Version:

On Windows: wmic product where "name like 'Foxit%'" get version

Verify Fix Applied:

Verify version is 9.7.2 or higher in Help > About Foxit Reader. Test with known safe PDF files containing JavaScript.

📡 Detection & Monitoring

Log Indicators:

Application crashes in Foxit Reader/PhantomPDF
Unexpected child processes spawned from Foxit
JavaScript execution errors in application logs

Network Indicators:

Downloads of PDF files from suspicious sources
Outbound connections from Foxit process to unknown IPs

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1000 OR parent_process_name:"FoxitReader.exe")

📊 Metadata

CVE ID: CVE-2020-13806

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

Published: June 4, 2020

Last Updated: November 21, 2024

🔗 References

https://www.foxitsoftware.com/support/security-bulletins.php Patch,Vendor Advisory
https://www.foxitsoftware.com/support/security-bulletins.php Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13806, you might also want to check these: