Login Sign Up

CVE-2023-27366

7.8 HIGH
Remote Code Execution

📋 TL;DR

This is a use-after-free vulnerability in Foxit PDF Reader's Doc object handling that allows remote attackers to execute arbitrary code. Attackers can exploit it by tricking users into opening malicious PDF files or visiting malicious web pages. All users running vulnerable versions of Foxit PDF Reader are affected.

💻 Affected Systems

Products:
  • Foxit PDF Reader
Versions: Versions prior to 12.1.2.15332
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Foxit PDF Editor may also be affected but confirmation needed from vendor advisory.

📦 What is this software?

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to malware installation, credential theft, or data exfiltration from the compromised system.

🟢

If Mitigated

Limited impact due to sandboxing or application hardening, potentially resulting in application crash rather than code execution.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

ZDI published details but no public exploit code. User interaction required but exploitation is straightforward once malicious file is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.1.2.15332 and later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to download and install version 12.1.2.15332 or later. 4. Restart the application.

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

windows

Prevents JavaScript-based exploitation vectors

Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

windows

Opens files in restricted mode to limit damage

Open Foxit Reader > File > Preferences > Trust Manager > Check 'Enable Safe Reading Mode'

🧯 If You Can't Patch

  • Block PDF files from untrusted sources at email/web gateways
  • Use alternative PDF readers that are not vulnerable

🔍 How to Verify

Check if Vulnerable:

Open Foxit Reader, go to Help > About Foxit Reader and check if version is below 12.1.2.15332

Check Version:

wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Confirm version is 12.1.2.15332 or higher in Help > About Foxit Reader

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory access violations
  • Unexpected child processes spawned from Foxit Reader

Network Indicators:

  • Outbound connections from Foxit Reader to unusual destinations
  • DNS requests for suspicious domains after PDF opening

SIEM Query:

process_name="FoxitReader.exe" AND (event_id=1000 OR child_process_creation=true)

📊 Metadata

CVE ID: CVE-2023-27366
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: May 3, 2024
Last Updated: August 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27366, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)