Login Sign Up

CVE-2021-34847

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit PDF Reader allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files. The flaw exists in how Annotation objects are handled without proper validation, enabling code execution in the current process context. Users of affected Foxit PDF Reader versions are at risk.

💻 Affected Systems

Products:
  • Foxit PDF Reader
Versions: 11.0.0.49893 and earlier versions
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. User interaction required (opening malicious PDF).

📦 What is this software?

Pdf Editor by Foxitsoftware

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxitsoftware

View all CVEs affecting Pdf Editor →

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malware installation or data exfiltration when users open malicious PDFs from phishing emails or compromised websites.

🟢

If Mitigated

Limited impact with proper endpoint protection, application sandboxing, and user awareness training preventing successful exploitation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction but is straightforward once malicious PDF is opened. ZDI advisory suggests weaponization is likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.0.0.49894 and later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader
2. Go to Help > Check for Updates
3. Follow prompts to install latest version
4. Restart application after update

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents JavaScript-based exploitation vectors

File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

windows

Opens PDFs in sandboxed mode

File > Preferences > Trust Manager > Check 'Enable Safe Reading Mode'

🧯 If You Can't Patch

  • Use alternative PDF readers that are not vulnerable
  • Block PDF files from untrusted sources at network perimeter

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version: Help > About Foxit Reader. If version is 11.0.0.49893 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 11.0.0.49894 or later in Help > About Foxit Reader.

📡 Detection & Monitoring

Log Indicators:

  • Foxit Reader crash logs with memory access violations
  • Unexpected child processes spawned from Foxit Reader

Network Indicators:

  • Outbound connections from Foxit Reader to unknown IPs
  • DNS requests for suspicious domains after PDF opening

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1000 OR parent_process_name:"FoxitReader.exe")

📊 Metadata

CVE ID: CVE-2021-34847
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: August 4, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34847, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)