Login Sign Up

CVE-2021-27271

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit PhantomPDF allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files containing specially crafted U3D objects. The flaw is an out-of-bounds read condition due to improper validation of user-supplied data. Users of affected Foxit PhantomPDF versions are at risk.

💻 Affected Systems

Products:
  • Foxit PhantomPDF
Versions: 10.1.0.37527 and earlier versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable by default when processing PDF files with U3D objects.

📦 What is this software?

Foxit Reader by Foxitsoftware

View all CVEs affecting Foxit Reader →

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution with current user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malicious actors deliver weaponized PDFs via phishing campaigns to execute malware or steal credentials from the compromised system.

🟢

If Mitigated

Limited impact with proper security controls like application whitelisting, network segmentation, and user awareness training preventing successful exploitation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (opening malicious file) but is technically straightforward once the malicious PDF is delivered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.1 or later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify update in Help > About.

🔧 Temporary Workarounds

Disable U3D object processing

windows

Configure Foxit PhantomPDF to disable or restrict processing of U3D objects in PDF files.

Navigate to Edit > Preferences > Security (Enhanced) > Disable U3D support

Use alternative PDF viewer

all

Temporarily use a different PDF viewer that is not affected by this vulnerability.

🧯 If You Can't Patch

  • Implement application whitelisting to block execution of unauthorized binaries.
  • Deploy network segmentation to limit lateral movement from compromised systems.

🔍 How to Verify

Check if Vulnerable:

Check Foxit PhantomPDF version in Help > About menu. If version is 10.1.0.37527 or earlier, system is vulnerable.

Check Version:

In Foxit PhantomPDF: Help > About

Verify Fix Applied:

Verify version is 10.1.1 or later in Help > About menu after patching.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes in Foxit PhantomPDF logs
  • Unusual process creation from Foxit processes
  • Security software alerts for PDF file execution

Network Indicators:

  • Outbound connections from Foxit processes to unknown IPs
  • DNS requests for suspicious domains following PDF opening

SIEM Query:

source="foxit_logs" AND (event_type="crash" OR process_name="phantompdf.exe")

📊 Metadata

CVE ID: CVE-2021-27271
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125
Published: March 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27271, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)