Login Sign Up

CVE-2022-37354

7.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2022-37354 is a buffer overflow vulnerability in PDF-XChange Editor's J2K file parser that allows remote code execution. Attackers can exploit this by tricking users into opening malicious J2K files or visiting malicious web pages. Users of vulnerable PDF-XChange Editor versions are affected.

💻 Affected Systems

Products:
  • PDF-XChange Editor
Versions: Versions prior to 9.3.361.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Pdf Xchange Editor by Pdf Xchange

View all CVEs affecting Pdf Xchange Editor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malware installation or data exfiltration from the compromised system, with attackers using the foothold to escalate privileges or move laterally.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash rather than full compromise.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

User interaction required (opening malicious file), but exploitation is straightforward once the file is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.3.361.0 and later

Vendor Advisory: https://www.tracker-software.com/product/pdf-xchange-editor/history

Restart Required: Yes

Instructions:

1. Download latest version from tracker-software.com 2. Run installer 3. Restart system 4. Verify version is 9.3.361.0 or higher

🔧 Temporary Workarounds

Disable J2K file association

windows

Remove J2K file type association with PDF-XChange Editor to prevent automatic opening

Control Panel > Default Programs > Associate a file type or protocol with a program > Select .j2k > Change program > Choose different application

Application sandboxing

windows

Run PDF-XChange Editor in restricted environment to limit exploit impact

🧯 If You Can't Patch

  • Block J2K files at network perimeter and email gateways
  • Implement application allowlisting to prevent unauthorized PDF-XChange Editor execution

🔍 How to Verify

Check if Vulnerable:

Open PDF-XChange Editor > Help > About > Check version number is below 9.3.361.0

Check Version:

wmic product where name="PDF-XChange Editor" get version

Verify Fix Applied:

Confirm version is 9.3.361.0 or higher in Help > About dialog

📡 Detection & Monitoring

Log Indicators:

  • Application crashes from PDF-XChange Editor
  • Unusual process spawning from PDF-XChange Editor
  • J2K file access attempts

Network Indicators:

  • Downloads of J2K files from untrusted sources
  • Outbound connections from PDF-XChange Editor to suspicious IPs

SIEM Query:

source="*pdf-xchange*" AND (event_type="crash" OR process_name="malicious.exe")

📊 Metadata

CVE ID: CVE-2022-37354
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: March 29, 2023
Last Updated: February 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-37354, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)