Login Sign Up

CVE-2021-27267

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files containing specially crafted U3D objects. It affects Foxit PhantomPDF users running vulnerable versions, requiring user interaction to trigger the exploit.

💻 Affected Systems

Products:
  • Foxit PhantomPDF
Versions: 10.1.0.37527 and earlier versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable by default when processing PDF files with U3D content.

📦 What is this software?

Foxit Reader by Foxitsoftware

View all CVEs affecting Foxit Reader →

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary code execution with current user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malware installation or data exfiltration through spear-phishing campaigns targeting users who open malicious PDF attachments.

🟢

If Mitigated

Limited impact with proper email filtering, user training, and application sandboxing preventing successful exploitation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction but uses common attack vectors (malicious PDF files). The vulnerability was disclosed through ZDI with technical details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.1 or later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify version is 10.1.1 or higher.

🔧 Temporary Workarounds

Disable U3D content processing

windows

Configure Foxit PhantomPDF to disable U3D object rendering

Edit registry: HKEY_CURRENT_USER\Software\Foxit Software\PhantomPDF\Preferences\Security\EnableU3D = 0

Use alternative PDF viewer

all

Temporarily use a different PDF application until patched

🧯 If You Can't Patch

  • Implement application whitelisting to block unauthorized PDF viewers
  • Deploy network segmentation to limit lateral movement if compromised

🔍 How to Verify

Check if Vulnerable:

Check Foxit PhantomPDF version in Help > About. If version is 10.1.0.37527 or earlier, system is vulnerable.

Check Version:

wmic product where name="Foxit PhantomPDF" get version

Verify Fix Applied:

Verify version is 10.1.1 or higher in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes in Foxit PhantomPDF
  • Unusual process creation from Foxit processes
  • Failed U3D object loading attempts

Network Indicators:

  • Outbound connections from Foxit processes to unknown IPs
  • DNS requests for suspicious domains after PDF opening

SIEM Query:

process_name:"FoxitPhantomPDF.exe" AND (event_id:1000 OR parent_process:explorer.exe AND child_process:cmd.exe)

📊 Metadata

CVE ID: CVE-2021-27267
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: March 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27267, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)