CVE-2021-38572 – This vulnerability in Foxit Reader and PhantomP... (How to Fix)

Q: What is the severity of CVE-2021-38572?

CVE-2021-38572 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Foxit Reader and PhantomPDF allows attackers to write arbitrary files due to insufficient validation of the extractPages pathname. Attackers can exploit this to potentially execute arbitrary code or overwrite critical system files. All users of affected Foxit software versions are at risk.

📋 TL;DR

This vulnerability in Foxit Reader and PhantomPDF allows attackers to write arbitrary files due to insufficient validation of the extractPages pathname. Attackers can exploit this to potentially execute arbitrary code or overwrite critical system files. All users of affected Foxit software versions are at risk.

💻 Affected Systems

Products:

Foxit Reader
Foxit PhantomPDF

Versions: All versions before 10.1.4

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable; no special configuration required for exploitation

📦 What is this software?

Foxit Reader by Foxitsoftware

View all CVEs affecting Foxit Reader →

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

File system corruption, data loss, or privilege escalation through malicious file writes

🟢

If Mitigated

Limited impact with proper application sandboxing and file system permissions

🌐 Internet-Facing: HIGH - PDF files are commonly shared via email and web, making this easily weaponizable

🏢 Internal Only: HIGH - Internal document sharing and PDF processing workflows create multiple attack vectors

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction to open a malicious PDF, but the technical complexity is minimal

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.4 and later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Open Foxit Reader/PhantomPDF 2. Go to Help > Check for Updates 3. Follow prompts to install version 10.1.4 or later 4. Restart the application

🔧 Temporary Workarounds

Disable JavaScript in Foxit

all

Prevents JavaScript-based exploitation vectors

File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Application Sandboxing

all

Restrict Foxit's file system access using OS-level controls

🧯 If You Can't Patch

Block Foxit Reader at network perimeter for untrusted PDF sources
Implement application whitelisting to prevent unauthorized Foxit execution

🔍 How to Verify

Check if Vulnerable:

Check Help > About in Foxit Reader/PhantomPDF and verify version is below 10.1.4

Check Version:

On Windows: wmic product where name='Foxit Reader' get version

Verify Fix Applied:

Confirm version is 10.1.4 or higher in Help > About dialog

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations from Foxit process
Multiple extractPages operations in short time

Network Indicators:

PDF downloads followed by suspicious file writes
External connections after PDF processing

SIEM Query:

process_name='FoxitReader.exe' AND file_write_operation AND target_path NOT CONTAINS 'Temp'

📊 Metadata

CVE ID: CVE-2021-38572

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: August 11, 2021

Last Updated: November 21, 2024

🔗 References

https://www.foxitsoftware.com/support/security-bulletins.php Vendor Advisory
https://www.foxitsoftware.com/support/security-bulletins.php Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON