Login Sign Up

CVE-2021-27269

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Foxit PhantomPDF installations by tricking users into opening malicious PDF files containing specially crafted U3D objects. The flaw exists due to improper validation of user-supplied data, leading to an out-of-bounds write condition. Users of Foxit PhantomPDF 10.1.0.37527 are affected.

💻 Affected Systems

Products:
  • Foxit PhantomPDF
Versions: 10.1.0.37527
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: User interaction required (opening malicious PDF file). All Windows installations with default configuration are vulnerable.

📦 What is this software?

Foxit Reader by Foxitsoftware

View all CVEs affecting Foxit Reader →

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or remote code execution leading to malware installation, data exfiltration, or system disruption.

🟢

If Mitigated

Limited impact due to sandboxing, application hardening, or network segmentation preventing successful exploitation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction but no authentication. Weaponization is likely given the nature of PDF-based attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.1 or later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify version is 10.1.1 or higher.

🔧 Temporary Workarounds

Disable U3D object processing

windows

Configure Foxit PhantomPDF to disable U3D object rendering in PDF files

Navigate to Edit > Preferences > Security (Enhanced) > Disable U3D support

Use alternative PDF viewer

all

Temporarily use a different PDF reader that is not vulnerable

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized code
  • Deploy network segmentation to limit lateral movement if exploitation occurs

🔍 How to Verify

Check if Vulnerable:

Check Foxit PhantomPDF version in Help > About. If version is 10.1.0.37527, system is vulnerable.

Check Version:

wmic product where name="Foxit PhantomPDF" get version

Verify Fix Applied:

Verify version is 10.1.1 or higher in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

  • Process creation events from Foxit PhantomPDF with unusual command-line arguments
  • Crash reports from Foxit PhantomPDF

Network Indicators:

  • Outbound connections from Foxit PhantomPDF process to suspicious IPs
  • DNS requests for known malicious domains

SIEM Query:

process_name="FoxitPhantomPDF.exe" AND (event_id=1 OR event_id=1000)

📊 Metadata

CVE ID: CVE-2021-27269
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: March 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27269, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)