Login Sign Up

CVE-2021-27261

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit PhantomPDF allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files containing specially crafted U3D objects. The flaw exists due to improper bounds checking when processing U3D data, leading to out-of-bounds memory reads that can be leveraged for code execution. Users of affected Foxit PhantomPDF versions are at risk.

💻 Affected Systems

Products:
  • Foxit PhantomPDF
Versions: 10.1.0.37527 and earlier versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable by default. User interaction required (opening malicious PDF).

📦 What is this software?

Foxit Reader by Foxitsoftware

View all CVEs affecting Foxit Reader →

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Malicious actor gains code execution on victim's machine through phishing emails with malicious PDF attachments, enabling data exfiltration or malware installation.

🟢

If Mitigated

Attack fails due to patched software, security controls blocking malicious files, or user awareness preventing malicious PDF opening.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user to open malicious PDF but no authentication needed. Weaponization likely due to ZDI publication and RCE nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.1 or later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download latest Foxit PhantomPDF from official website. 2. Run installer. 3. Restart system. 4. Verify version is 10.1.1 or higher.

🔧 Temporary Workarounds

Disable U3D support

windows

Disable U3D object processing in Foxit PhantomPDF settings

Use alternative PDF viewer

all

Temporarily use different PDF software until patched

🧯 If You Can't Patch

  • Block PDF files at email gateways and web proxies
  • Implement application whitelisting to prevent unauthorized executables

🔍 How to Verify

Check if Vulnerable:

Check Foxit PhantomPDF version in Help > About. If version is 10.1.0.37527 or earlier, system is vulnerable.

Check Version:

wmic product where name="Foxit PhantomPDF" get version

Verify Fix Applied:

Verify version is 10.1.1 or higher in Help > About. Test with known safe PDF containing U3D objects.

📡 Detection & Monitoring

Log Indicators:

  • Foxit PhantomPDF crash logs with memory access violations
  • Windows Event Logs showing application crashes with exception codes like 0xC0000005

Network Indicators:

  • Unusual outbound connections from Foxit process after PDF opening
  • PDF downloads from suspicious sources

SIEM Query:

source="windows" AND (event_id=1000 OR event_id=1001) AND process_name="FoxitPhantomPDF.exe" AND exception_code="0xC0000005"

📊 Metadata

CVE ID: CVE-2021-27261
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125
Published: March 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27261, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)