Login Sign Up

CVE-2022-24971

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit PDF Reader allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files containing specially crafted JPEG2000 images. The flaw exists in improper data validation during JPEG2000 parsing, enabling out-of-bounds reads that can lead to code execution. Users of Foxit PDF Reader 11.1.0.52543 are affected.

💻 Affected Systems

Products:
  • Foxit PDF Reader
Versions: 11.1.0.52543
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of the affected version are vulnerable regardless of configuration settings.

📦 What is this software?

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Malicious actors deliver weaponized PDFs via phishing campaigns, executing malware payloads when users open the documents.

🟢

If Mitigated

Limited impact with proper endpoint protection, application sandboxing, and user awareness training preventing successful exploitation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (opening malicious file) but is otherwise straightforward given the public vulnerability details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1.1 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader
2. Go to Help > Check for Updates
3. Follow prompts to install latest version
4. Restart application after update

🔧 Temporary Workarounds

Disable JPEG2000 image rendering

all

Prevent parsing of JPEG2000 images in PDF files

Not applicable - configuration setting in Foxit preferences

Use alternative PDF viewer

all

Temporarily switch to a different PDF reader application

🧯 If You Can't Patch

  • Implement application whitelisting to block Foxit PDF Reader execution
  • Deploy endpoint detection and response (EDR) with behavioral monitoring for PDF file execution

🔍 How to Verify

Check if Vulnerable:

Check Foxit PDF Reader version in Help > About. If version is 11.1.0.52543 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit PDF Reader" get version

Verify Fix Applied:

Verify version is 11.1.1 or later in Help > About after update.

📡 Detection & Monitoring

Log Indicators:

  • Foxit PDF Reader crash logs with memory access violations
  • Unexpected child processes spawned from Foxit PDF Reader

Network Indicators:

  • Outbound connections from Foxit PDF Reader to suspicious domains
  • DNS requests for known malware C2 infrastructure

SIEM Query:

process_name:"FoxitPDFReader.exe" AND (event_id:1000 OR event_id:1001) AND exception_code:0xc0000005

📊 Metadata

CVE ID: CVE-2022-24971
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125
Published: February 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24971, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)