CVE-2022-24955
📋 TL;DR
CVE-2022-24955 is a DLL hijacking vulnerability in Foxit PDF software that allows attackers to execute arbitrary code by placing malicious DLL files in directories searched by the application. This affects users of Foxit PDF Reader and Foxit PDF Editor on Windows systems. Successful exploitation requires the attacker to trick a user into opening a malicious file or accessing a compromised directory.
💻 Affected Systems
- Foxit PDF Reader
- Foxit PDF Editor
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the user running Foxit software, potentially leading to ransomware deployment, data theft, or persistent backdoor installation.
Likely Case
Local privilege escalation or arbitrary code execution in the context of the current user, allowing attackers to steal documents, install malware, or move laterally within the network.
If Mitigated
Limited impact if user runs with minimal privileges, application is sandboxed, or proper file permissions prevent DLL placement in vulnerable directories.
🎯 Exploit Status
Exploitation requires user interaction (opening a file or accessing a directory). DLL hijacking techniques are well-documented and weaponization is likely given the high CVSS score.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.2.1 and later
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: Yes
Instructions:
1. Download Foxit PDF Reader/Editor version 11.2.1 or later from official Foxit website. 2. Run the installer. 3. Follow installation prompts. 4. Restart the application and any related services.
🔧 Temporary Workarounds
Restrict DLL search path
windowsUse Windows policies or application settings to restrict DLL loading to trusted directories only
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
Remove vulnerable versions
windowsUninstall vulnerable Foxit versions and use alternative PDF software until patched
appwiz.cpl
Select Foxit PDF Reader/Editor and click Uninstall
🧯 If You Can't Patch
- Run Foxit software with minimal user privileges (not as administrator)
- Implement application whitelisting to prevent execution of unauthorized DLLs
🔍 How to Verify
Check if Vulnerable:
Check Foxit version via Help > About. If version is below 11.2.1, the system is vulnerable.Check Version:
wmic product where name="Foxit PDF Reader" get versionVerify Fix Applied:
Verify version is 11.2.1 or higher in Help > About dialog.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual directories
- Process creation events for suspicious DLLs loaded by Foxit processes
Network Indicators:
- Unusual outbound connections from Foxit processes post-exploitation
SIEM Query:
source="Windows Security" AND event_id=4688 AND process_name="Foxit*.exe" AND parent_process_name NOT IN ("explorer.exe", "cmd.exe")