Login Sign Up

CVE-2022-22150

8.8 HIGH
Remote Code Execution

📋 TL;DR

A memory corruption vulnerability in Foxit PDF Reader's JavaScript engine allows arbitrary code execution when users open malicious PDF files or visit malicious websites with the browser plugin enabled. This affects users running vulnerable versions of Foxit PDF Reader, particularly those who open untrusted documents or browse untrusted websites with the plugin active.

💻 Affected Systems

Products:
  • Foxit PDF Reader
Versions: 11.1.0.52543 and earlier versions
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Browser plugin must be enabled for web-based exploitation. All default configurations are vulnerable.

📦 What is this software?

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control of the victim's machine, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malware installation leading to credential theft, data exfiltration, or system disruption for individual users who open malicious PDFs.

🟢

If Mitigated

Limited impact with proper security controls like application whitelisting, network segmentation, and user awareness preventing successful exploitation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (opening file or visiting malicious site). The vulnerability is well-documented with public technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.2.0 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 11.2.0 or later. 4. Restart the application.

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents exploitation by disabling the vulnerable JavaScript engine component

Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Disable Browser Plugin

all

Prevents web-based exploitation through malicious websites

Browser settings > Extensions/Add-ons > Disable Foxit PDF Reader plugin

🧯 If You Can't Patch

  • Implement application control to block execution of Foxit PDF Reader
  • Use network segmentation to isolate systems running vulnerable versions

🔍 How to Verify

Check if Vulnerable:

Check Foxit PDF Reader version in Help > About. If version is 11.1.0.52543 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 11.2.0 or later in Help > About. Confirm JavaScript is disabled if using workaround.

📡 Detection & Monitoring

Log Indicators:

  • Process crashes of FoxitReader.exe
  • Unusual child processes spawned from Foxit Reader
  • Memory access violations in application logs

Network Indicators:

  • Unexpected outbound connections from Foxit Reader process
  • Downloads of PDF files from suspicious sources

SIEM Query:

process_name="FoxitReader.exe" AND (event_id=1000 OR event_id=1001) OR process_parent_name="FoxitReader.exe" AND process_name NOT IN ("explorer.exe", "cmd.exe")

📊 Metadata

CVE ID: CVE-2022-22150
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-460
Published: February 4, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22150, you might also want to check these:

CVE-2022-4744 7.8

A double-free vulnerability in the Linux kernel's TUN/TAP device driver allows local attackers to cr...

Same vulnerability type (CWE-460)