CVE-2023-27364
📋 TL;DR
This vulnerability in Foxit PDF Editor allows remote attackers to execute arbitrary code by tricking users into opening malicious XLS files. The flaw exists in how the software handles macro-enabled documents without proper restrictions. Users of affected Foxit PDF Editor versions are at risk.
💻 Affected Systems
- Foxit PDF Editor
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's computer, potentially leading to data theft, ransomware deployment, or lateral movement within networks.
Likely Case
Malware installation leading to data exfiltration, credential theft, or system disruption for individual users who open malicious XLS files.
If Mitigated
Limited impact with proper security controls like application whitelisting, macro restrictions, and user training preventing successful exploitation.
🎯 Exploit Status
Exploitation requires user interaction but is straightforward once malicious XLS file is opened. Weaponization likely due to the nature of file-based RCE vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Foxit PDF Editor 12.1.2.15332 and later
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: Yes
Instructions:
1. Download latest version from Foxit website. 2. Run installer. 3. Restart computer. 4. Verify version is 12.1.2.15332 or higher.
🔧 Temporary Workarounds
Disable XLS file handling in Foxit PDF Editor
windowsPrevent Foxit PDF Editor from opening XLS files by modifying file associations
Control Panel > Default Programs > Set Associations > Find .xls/.xlsx > Change to Excel or other application
Block macro execution
windowsConfigure system or application policies to block macro execution from untrusted sources
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized executables from running
- Deploy email/web filtering to block malicious XLS attachments and downloads
🔍 How to Verify
Check if Vulnerable:
Check Foxit PDF Editor version in Help > About. If version is below 12.1.2.15332, system is vulnerable.Check Version:
wmic product where name="Foxit PDF Editor" get versionVerify Fix Applied:
Verify version is 12.1.2.15332 or higher in Help > About. Test opening legitimate XLS files to ensure functionality is maintained.📡 Detection & Monitoring
Log Indicators:
- Process creation events from Foxit PDF Editor spawning unusual child processes
- File access events showing Foxit PDF Editor opening XLS files followed by suspicious activity
Network Indicators:
- Outbound connections from Foxit PDF Editor process to suspicious IPs/domains
- DNS queries for known malicious domains following XLS file opening
SIEM Query:
source="*security*" AND process_name="FoxitPDFEditor.exe" AND (file_extension=".xls" OR file_extension=".xlsx") AND child_process_created="*"