CVE-2022-24367 – This vulnerability in Foxit PDF Reader allows r... (How to Fix)

Q: What is the severity of CVE-2022-24367?

CVE-2022-24367 has a CVSS score of 8.8 (HIGH). This vulnerability in Foxit PDF Reader allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files or visiting malicious web pages. The flaw exists in how AcroForms handle objects without proper validation, enabling code execution in the current process context. Users of affected Foxit PDF Reader versions are at risk.

📋 TL;DR

This vulnerability in Foxit PDF Reader allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files or visiting malicious web pages. The flaw exists in how AcroForms handle objects without proper validation, enabling code execution in the current process context. Users of affected Foxit PDF Reader versions are at risk.

💻 Affected Systems

Products:

Foxit PDF Reader

Versions: 11.1.0.52543 and earlier versions

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. Requires user interaction to trigger.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Malware installation or data theft through targeted phishing campaigns using malicious PDF attachments.

🟢

If Mitigated

Limited impact if proper endpoint protection, application sandboxing, and user training prevent malicious file execution.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file/website) but can be delivered via web or email.

🏢 Internal Only: MEDIUM - Internal phishing campaigns or shared malicious documents could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires user interaction but is technically straightforward once malicious file is opened. ZDI published advisory with technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1.1 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Alternatively, download and install latest version from Foxit website. 5. Restart computer after installation.

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents JavaScript-based exploitation vectors in PDF files

Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

windows

Open PDFs in sandboxed protected view mode

Open Foxit Reader > File > Preferences > Trust Manager > Check 'Enable Safe Reading Mode'

🧯 If You Can't Patch

Block PDF files from untrusted sources at email/web gateways
Use application whitelisting to prevent unauthorized PDF reader execution

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version: Open Foxit Reader > Help > About. If version is 11.1.0.52543 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where "name like 'Foxit%'" get version

Verify Fix Applied:

Verify version is 11.1.1 or later in Help > About. Test with known safe PDF files to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Foxit Reader crash logs with memory access violations
Unexpected child processes spawned from Foxit Reader

Network Indicators:

Outbound connections from Foxit Reader process to suspicious IPs
DNS requests for known malicious domains after PDF opening

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1000 OR parent_process_name:"FoxitReader.exe")

📊 Metadata

CVE ID: CVE-2022-24367

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://www.foxit.com/support/security-bulletins.html Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-278/ Third Party Advisory,VDB Entry
https://www.foxit.com/support/security-bulletins.html Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-278/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24367, you might also want to check these: