CVE-2022-28104 – Foxit PDF Editor v11.3.1 contains an arbitrary ... (How to Fix)

Q: What is the severity of CVE-2022-28104?

CVE-2022-28104 has a CVSS score of 9.8 (CRITICAL). Foxit PDF Editor v11.3.1 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files to the system. This affects all users running the vulnerable version of Foxit PDF Editor, potentially leading to remote code execution.

📋 TL;DR

Foxit PDF Editor v11.3.1 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files to the system. This affects all users running the vulnerable version of Foxit PDF Editor, potentially leading to remote code execution.

💻 Affected Systems

Products:

Foxit PDF Editor

Versions: v11.3.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only Foxit PDF Editor v11.3.1 is confirmed affected; other versions may be vulnerable but not confirmed.

📦 What is this software?

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges, complete system compromise, data exfiltration, ransomware deployment, and lateral movement across the network.

🟠

Likely Case

Malware installation, backdoor persistence, credential theft, and data manipulation through uploaded malicious files.

🟢

If Mitigated

Limited impact with proper network segmentation, application whitelisting, and least privilege principles in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on Packet Storm Security, making this easily weaponizable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v11.3.2 or later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download latest version from Foxit website. 2. Uninstall vulnerable version. 3. Install updated version. 4. Restart system.

🔧 Temporary Workarounds

Disable Foxit PDF Editor

windows

Temporarily disable or uninstall Foxit PDF Editor until patched.

Uninstall via Control Panel > Programs > Uninstall a program

Network Restriction

windows

Block Foxit PDF Editor from accessing network resources.

Use Windows Firewall to block outbound/inbound connections for FoxitPDFEditor.exe

🧯 If You Can't Patch

Implement application whitelisting to prevent unauthorized executables
Deploy endpoint detection and response (EDR) with behavioral monitoring

🔍 How to Verify

Check if Vulnerable:

Check Foxit PDF Editor version in Help > About. If version is 11.3.1, system is vulnerable.

Check Version:

wmic product where name="Foxit PDF Editor" get version

Verify Fix Applied:

Verify version is 11.3.2 or higher in Help > About after update.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads via Foxit processes
Suspicious child processes spawned from FoxitPDFEditor.exe

Network Indicators:

Unexpected outbound connections from Foxit PDF Editor
File uploads to unusual destinations

SIEM Query:

process_name="FoxitPDFEditor.exe" AND (process_command_line CONTAINS "upload" OR child_process_name IN ("cmd.exe", "powershell.exe", "wscript.exe"))

📊 Metadata

CVE ID: CVE-2022-28104

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: May 20, 2022

Last Updated: November 21, 2024

🔗 References

https://packetstormsecurity.com/files/166430 Exploit,Third Party Advisory,VDB Entry
https://www.foxitsoftware.com/support/security-bulletins.php Vendor Advisory
https://packetstormsecurity.com/files/166430 Exploit,Third Party Advisory,VDB Entry
https://www.foxitsoftware.com/support/security-bulletins.php Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28104, you might also want to check these: