Login Sign Up

CVE-2023-32664

8.8 HIGH
Remote Code Execution

📋 TL;DR

A type confusion vulnerability in Foxit Reader's JavaScript checkThisBox method allows memory corruption when processing malicious PDF files. This can lead to remote code execution when users open specially crafted PDF documents. All users running vulnerable versions of Foxit Reader are affected.

💻 Affected Systems

Products:
  • Foxit Reader
Versions: 12.1.2.15332 and earlier versions
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. JavaScript execution must be enabled in PDFs (default setting).

📦 What is this software?

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control of the victim's computer, enabling data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Remote code execution with the privileges of the current user, allowing installation of malware, credential theft, and persistence mechanisms.

🟢

If Mitigated

Limited impact if PDF files are opened in sandboxed environments or with restricted user privileges, though some data exfiltration may still occur.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (opening malicious PDF). Technical details and proof-of-concept are publicly available in Talos reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.1.3.15356 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: No

Instructions:

1. Open Foxit Reader
2. Go to Help > Check for Updates
3. Follow prompts to install latest version
4. Alternatively, download and install from Foxit website

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents JavaScript execution in PDF files, blocking the attack vector

Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

all

Open PDFs in restricted mode that prevents script execution

Open Foxit Reader > File > Preferences > General > Check 'Open documents in Protected View'

🧯 If You Can't Patch

  • Use alternative PDF readers that are not vulnerable
  • Block PDF files from untrusted sources at email gateways and web proxies

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version in Help > About. If version is 12.1.2.15332 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 12.1.3.15356 or later in Help > About. Test opening known safe PDFs with JavaScript to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

  • Foxit Reader crash logs with memory access violations
  • Unexpected child processes spawned from Foxit Reader
  • Network connections from Foxit Reader to suspicious IPs

Network Indicators:

  • Outbound connections from Foxit Reader to command-and-control servers
  • DNS requests for malicious domains following PDF opening

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1000 OR parent_process_name:"FoxitReader.exe")

📊 Metadata

CVE ID: CVE-2023-32664
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-843
Published: July 19, 2023
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32664, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2020-25575 9.8

This vulnerability in the Rust failure crate (versions through 0.1.5) involves a type confusion flaw...

Same vulnerability type (CWE-843)