CVE-2020-17410 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2020-17410?

CVE-2020-17410 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious GIF files in Foxit PhantomPDF. It affects users of Foxit PhantomPDF 10.0.0.35798 who open untrusted documents.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious GIF files in Foxit PhantomPDF. It affects users of Foxit PhantomPDF 10.0.0.35798 who open untrusted documents.

💻 Affected Systems

Products:

Foxit PhantomPDF

Versions: 10.0.0.35798

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: User interaction required - victim must open malicious file or visit malicious page.

📦 What is this software?

Foxit Reader by Foxitsoftware

View all CVEs affecting Foxit Reader →

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through remote code execution in the context of the current user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malware installation or data exfiltration when users open malicious PDFs containing crafted GIF images from untrusted sources.

🟢

If Mitigated

Limited impact if proper application sandboxing, least privilege, and file validation controls are in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction but is straightforward once malicious file is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.1.35811 or later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify version is 10.0.1.35811 or higher.

🔧 Temporary Workarounds

Disable GIF parsing

windows

Configure Foxit PhantomPDF to disable GIF file parsing through registry or configuration settings

Not applicable - requires GUI configuration

Application sandboxing

windows

Run Foxit PhantomPDF in restricted mode or sandboxed environment

Not applicable - requires third-party sandboxing tools

🧯 If You Can't Patch

Implement application whitelisting to prevent unauthorized execution
Use network segmentation to limit Foxit PhantomPDF internet access

🔍 How to Verify

Check if Vulnerable:

Check Help > About in Foxit PhantomPDF for version 10.0.0.35798

Check Version:

wmic product where name="Foxit PhantomPDF" get version

Verify Fix Applied:

Verify version is 10.0.1.35811 or higher in Help > About

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing GIF files
Unusual process spawning from Foxit processes

Network Indicators:

Outbound connections from Foxit processes to unknown IPs
DNS requests for suspicious domains

SIEM Query:

process_name:"FoxitPhantomPDF.exe" AND (event_id:1000 OR parent_process:explorer.exe)

📊 Metadata

CVE ID: CVE-2020-17410

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: October 13, 2020

Last Updated: November 21, 2024

🔗 References

https://www.foxitsoftware.com/support/security-bulletins.php Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-1228/ Third Party Advisory,VDB Entry
https://www.foxitsoftware.com/support/security-bulletins.php Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-1228/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-17410, you might also want to check these: