Login Sign Up

CVE-2022-37377

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit PDF Editor allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files or visiting malicious web pages. The flaw exists in JavaScript optimization code, leading to type confusion that enables code execution. Users of Foxit PDF Editor 11.1.1.53537 are affected.

💻 Affected Systems

Products:
  • Foxit PDF Editor
Versions: 11.1.1.53537
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: User interaction required (opening malicious PDF or visiting malicious webpage). All Windows installations with this version are vulnerable.

📦 What is this software?

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system, data theft, ransomware deployment, and lateral movement within the network.

🟠

Likely Case

Malware installation, credential theft, and data exfiltration from the compromised system.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only affecting the PDF editor process.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction but no authentication. Type confusion vulnerabilities are commonly weaponized in PDF-based attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.2.0 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify update in Help > About.

🔧 Temporary Workarounds

Disable JavaScript in Foxit PDF Editor

windows

Prevents exploitation by disabling JavaScript execution in PDF files

Open Foxit PDF Editor > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use alternative PDF viewer

all

Temporarily use a different PDF application that is not vulnerable

🧯 If You Can't Patch

  • Restrict user permissions to prevent code execution at system level
  • Implement application whitelisting to block unauthorized executables

🔍 How to Verify

Check if Vulnerable:

Check Foxit PDF Editor version in Help > About menu

Check Version:

Not applicable - check via GUI in Help > About

Verify Fix Applied:

Verify version is 11.2.0 or higher in Help > About

📡 Detection & Monitoring

Log Indicators:

  • Unusual Foxit PDF Editor process behavior
  • Suspicious child processes spawned from Foxit
  • Multiple PDF file openings from untrusted sources

Network Indicators:

  • Outbound connections from Foxit process to suspicious IPs
  • DNS requests for known malicious domains after PDF opening

SIEM Query:

process_name:"FoxitPDFEditor.exe" AND (process_child_count > 3 OR network_connection_count > 5)

📊 Metadata

CVE ID: CVE-2022-37377
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-843
Published: March 29, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-37377, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2020-25575 9.8

This vulnerability in the Rust failure crate (versions through 0.1.5) involves a type confusion flaw...

Same vulnerability type (CWE-843)