Login Sign Up

CVE-2023-35985

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit Reader allows attackers to create arbitrary files on a victim's system through a malicious PDF file or website. When exploited, it can lead to arbitrary code execution. Users of Foxit Reader 12.1.3.15356 who open untrusted PDFs or visit malicious websites with the browser plugin enabled are affected.

💻 Affected Systems

Products:
  • Foxit Reader
Versions: 12.1.3.15356
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Browser plugin must be enabled for web-based exploitation; file-based exploitation requires opening malicious PDFs.

📦 What is this software?

Foxit Reader by Foxitsoftware

View all CVEs affecting Foxit Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary code execution leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malware installation, data exfiltration, or system disruption through file manipulation.

🟢

If Mitigated

Limited impact if proper application sandboxing, file system permissions, and user awareness prevent successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (opening file or visiting malicious site).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.1.4 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Download latest Foxit Reader from official website. 2. Run installer. 3. Restart system. 4. Verify version is 12.1.4 or higher.

🔧 Temporary Workarounds

Disable Browser Plugin

all

Prevents web-based exploitation by disabling Foxit Reader browser integration.

In Foxit Reader: Edit > Preferences > General > uncheck 'Enable browser plugin'

Restrict File Creation

windows

Apply file system permissions to limit where Foxit Reader can create files.

Windows: icacls "C:\Program Files\Foxit Software\Foxit Reader" /deny Users:(OI)(CI)W

🧯 If You Can't Patch

  • Use alternative PDF readers like Adobe Acrobat Reader or browser-based viewers.
  • Implement application whitelisting to block Foxit Reader execution.

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version in Help > About. If version is 12.1.3.15356, system is vulnerable.

Check Version:

Windows: wmic product where name="Foxit Reader" get version
Linux: foxitreader --version
macOS: /Applications/Foxit\ Reader.app/Contents/MacOS/FoxitReader --version

Verify Fix Applied:

Verify version is 12.1.4 or higher in Help > About.

📡 Detection & Monitoring

Log Indicators:

  • Foxit Reader process creating files in unusual locations
  • Suspicious file creation events in system logs

Network Indicators:

  • Unexpected outbound connections from Foxit Reader process

SIEM Query:

process_name:"FoxitReader.exe" AND file_create_path:("*.exe" OR "*.dll" OR "*.bat")

📊 Metadata

CVE ID: CVE-2023-35985
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-73
Published: November 27, 2023
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35985, you might also want to check these:

CVE-2026-27211 10.0

Cloud Hypervisor versions 34.0 through 50.0 are vulnerable to host file exfiltration when using virt...

Same vulnerability type (CWE-73)
CVE-2024-55371 9.8

Wallos versions up to 2.38.2 contain a file upload vulnerability in the restore backup function that...

Same vulnerability type (CWE-73)
CVE-2025-29708 9.8

SourceCodester Company Website CMS 1.0 contains an unauthenticated file upload vulnerability in the ...

Same vulnerability type (CWE-73)