CVE-2023-33876 – A use-after-free vulnerability in Foxit Reader ... (How to Fix)

Q: What is the severity of CVE-2023-33876?

CVE-2023-33876 has a CVSS score of 8.8 (HIGH). A use-after-free vulnerability in Foxit Reader 12.1.2.15332 allows arbitrary code execution when processing malicious PDF files with crafted JavaScript. Attackers can exploit this by tricking users into opening malicious PDFs or visiting malicious websites with the browser plugin enabled. This affects all users running the vulnerable version of Foxit Reader.

📋 TL;DR

A use-after-free vulnerability in Foxit Reader 12.1.2.15332 allows arbitrary code execution when processing malicious PDF files with crafted JavaScript. Attackers can exploit this by tricking users into opening malicious PDFs or visiting malicious websites with the browser plugin enabled. This affects all users running the vulnerable version of Foxit Reader.

💻 Affected Systems

Products:

Foxit Reader

Versions: 12.1.2.15332

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Browser plugin extension must be enabled for web-based exploitation. All default installations are vulnerable.

📦 What is this software?

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user running Foxit Reader, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malware installation leading to credential theft, data exfiltration, or system disruption.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only crashing the application.

🌐 Internet-Facing: HIGH - Exploitation can occur through malicious websites if browser plugin is enabled, making internet-facing systems vulnerable.

🏢 Internal Only: MEDIUM - Requires user interaction (opening malicious PDF), but internal phishing campaigns could still be effective.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction but is straightforward once malicious PDF is opened. Public technical details available in Talos reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.1.3 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Download latest Foxit Reader from official website. 2. Run installer. 3. Restart system. 4. Verify version is 12.1.3 or higher.

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents exploitation by disabling JavaScript execution in PDF files

Open Foxit Reader > File > Preferences > Trust Manager > Uncheck 'Enable JavaScript'

Disable Browser Plugin

all

Prevents web-based exploitation through browser

Browser settings > Extensions/Add-ons > Disable Foxit Reader plugin

🧯 If You Can't Patch

Restrict PDF file handling to alternative PDF readers without this vulnerability
Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version in Help > About. If version is 12.1.2.15332 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 12.1.3 or later in Help > About.

📡 Detection & Monitoring

Log Indicators:

Multiple Foxit Reader crashes
Unusual PDF file access patterns
JavaScript execution errors in Foxit logs

Network Indicators:

Downloads of PDF files from suspicious sources
Outbound connections from Foxit Reader process

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1000 OR event_id:1001) | stats count by host

📊 Metadata

CVE ID: CVE-2023-33876

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: July 19, 2023

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1796 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1796 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1796

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33876, you might also want to check these: