Login Sign Up

CVE-2023-27379

8.8 HIGH
Remote Code Execution

📋 TL;DR

A use-after-free vulnerability in Foxit PDF Reader's JavaScript engine allows arbitrary code execution when users open malicious PDF files or visit malicious websites with the browser plugin enabled. This affects Foxit PDF Reader version 12.1.2.15332 users who open untrusted PDF documents or browse untrusted websites with the browser extension active.

💻 Affected Systems

Products:
  • Foxit PDF Reader
Versions: 12.1.2.15332
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Browser plugin extension must be enabled for web-based exploitation; all default configurations are vulnerable.

📦 What is this software?

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's computer, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malware installation leading to credential theft, data exfiltration, or system disruption through drive-by download attacks via malicious websites.

🟢

If Mitigated

Limited impact with proper controls - potential application crash but no code execution if memory protections are enabled.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction (opening file or visiting site) but no authentication. Memory corruption exploitation requires specific heap grooming.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.1.3 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader 2. Go to Help > Check for Updates 3. Follow prompts to install latest version 4. Restart computer after installation

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents exploitation by disabling JavaScript engine where vulnerability exists

Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Disable Browser Plugin

all

Prevents web-based exploitation via malicious websites

Open browser extensions/settings and disable Foxit PDF Reader plugin

🧯 If You Can't Patch

  • Restrict PDF file opening to trusted sources only using application whitelisting
  • Implement network segmentation to limit lateral movement if exploitation occurs

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version: Open Foxit > Help > About Foxit Reader

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 12.1.3 or higher in About dialog

📡 Detection & Monitoring

Log Indicators:

  • Foxit Reader crash logs with memory access violations
  • Unexpected child processes spawned from Foxit Reader

Network Indicators:

  • Outbound connections from Foxit Reader process to unknown IPs
  • DNS requests for suspicious domains after PDF opening

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1000 OR parent_process_name:"FoxitReader.exe")

📊 Metadata

CVE ID: CVE-2023-27379
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: July 19, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27379, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)