Login Sign Up

CVE-2022-28675

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit PDF Reader allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files or visiting malicious web pages. The flaw exists in how the software handles Annotation objects without proper validation, enabling code execution in the current process context. Users of affected Foxit PDF Reader versions are at risk.

💻 Affected Systems

Products:
  • Foxit PDF Reader
Versions: 11.2.1.53537 and earlier
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. User interaction required (opening malicious file or visiting malicious page).

📦 What is this software?

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, allowing attackers to install malware, steal data, or gain persistent access.

🟠

Likely Case

Malware installation or data theft through targeted phishing campaigns using malicious PDF attachments.

🟢

If Mitigated

Limited impact with proper endpoint protection, user training, and network segmentation preventing successful exploitation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction but is straightforward once malicious content is delivered. ZDI advisory suggests weaponization is likely given the nature of the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.2.2 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader
2. Go to Help > Check for Updates
3. Follow prompts to update to version 11.2.2 or later
4. Restart the application

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

windows

Prevents JavaScript-based exploitation vectors

Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

windows

Open PDFs in sandboxed protected view mode

File > Preferences > General > Check 'Open cross-domain PDF files in Protected View'

🧯 If You Can't Patch

  • Block PDF files from untrusted sources at email/web gateways
  • Use alternative PDF reader software temporarily

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version: Help > About Foxit Reader. If version is 11.2.1.53537 or earlier, system is vulnerable.

Check Version:

wmic product where "name like 'Foxit%Reader%'" get version

Verify Fix Applied:

Verify version is 11.2.2 or later in Help > About Foxit Reader.

📡 Detection & Monitoring

Log Indicators:

  • Foxit Reader crash logs with memory access violations
  • Unexpected child processes spawned from Foxit Reader

Network Indicators:

  • Downloads of PDF files from suspicious sources followed by unusual outbound connections

SIEM Query:

source="*foxit*" AND (event_type="crash" OR process_name="foxitreader.exe" AND parent_process!="explorer.exe")

📊 Metadata

CVE ID: CVE-2022-28675
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: July 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28675, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)