CVE-2022-37364 – CVE-2022-37364 is a buffer overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2022-37364?

CVE-2022-37364 has a CVSS score of 7.8 (HIGH). CVE-2022-37364 is a buffer overflow vulnerability in PDF-XChange Editor's EMF file parser that allows remote code execution. Attackers can exploit this by tricking users into opening malicious EMF files or visiting malicious web pages. All users of affected PDF-XChange Editor versions are vulnerable.

📋 TL;DR

CVE-2022-37364 is a buffer overflow vulnerability in PDF-XChange Editor's EMF file parser that allows remote code execution. Attackers can exploit this by tricking users into opening malicious EMF files or visiting malicious web pages. All users of affected PDF-XChange Editor versions are vulnerable.

💻 Affected Systems

Products:

PDF-XChange Editor

Versions: Versions prior to 9.3.361.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with default settings are vulnerable. The vulnerability affects the EMF file parsing component.

📦 What is this software?

Pdf Xchange Editor by Pdf Xchange

View all CVEs affecting Pdf Xchange Editor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malware installation or data exfiltration from the compromised system, with the attacker operating in the context of the current user's privileges.

🟢

If Mitigated

Limited impact due to application sandboxing, limited user privileges, or network segmentation preventing lateral movement.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

User interaction required (opening malicious file or visiting malicious page). The vulnerability is well-documented and buffer overflow exploits are common.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.3.361.0 and later

Vendor Advisory: https://www.tracker-software.com/product/pdf-xchange-editor/history

Restart Required: Yes

Instructions:

1. Open PDF-XChange Editor
2. Go to Help > Check for Updates
3. Follow prompts to update to version 9.3.361.0 or later
4. Restart the application

🔧 Temporary Workarounds

Disable EMF file association

windows

Prevent PDF-XChange Editor from automatically opening EMF files

1. Open Windows Settings
2. Go to Apps > Default apps
3. Click 'Choose default apps by file type'
4. Find .emf extension and change to a different application

Application sandboxing

windows

Run PDF-XChange Editor in a restricted environment

Use Windows Sandbox or similar virtualization to open untrusted files

🧯 If You Can't Patch

Implement application whitelisting to block PDF-XChange Editor execution
Deploy network segmentation to limit lateral movement from compromised systems

🔍 How to Verify

Check if Vulnerable:

Check PDF-XChange Editor version in Help > About. If version is below 9.3.361.0, the system is vulnerable.

Check Version:

In PDF-XChange Editor: Help > About

Verify Fix Applied:

Verify version is 9.3.361.0 or higher in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

Application crashes with EMF file processing
Unusual process creation from PDF-XChange Editor
Failed EMF file parsing attempts

Network Indicators:

Outbound connections from PDF-XChange Editor to suspicious IPs
DNS requests for known malicious domains from the application

SIEM Query:

Process Creation where Image contains 'PDFXEdit.exe' AND ParentImage contains 'explorer.exe' AND CommandLine contains '.emf'

📊 Metadata

CVE ID: CVE-2022-37364

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 29, 2023

Last Updated: November 27, 2024

🔗 References

https://www.tracker-software.com/product/pdf-xchange-editor/history Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-1092/ Release Notes,Third Party Advisory,VDB Entry
https://www.tracker-software.com/product/pdf-xchange-editor/history Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-1092/ Release Notes,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-37364, you might also want to check these: