CVE-2023-37331 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-37331?

CVE-2023-37331 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious GIF files in Kofax Power PDF. Attackers can gain control of the affected system through a stack-based buffer overflow. All users of vulnerable Kofax Power PDF versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious GIF files in Kofax Power PDF. Attackers can gain control of the affected system through a stack-based buffer overflow. All users of vulnerable Kofax Power PDF versions are affected.

💻 Affected Systems

Products:

Kofax Power PDF

Versions: Specific versions not specified in provided references, but likely multiple versions prior to patch

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations that process GIF files are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Power Pdf by Tungstenautomation

View all CVEs affecting Power Pdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malicious actor executes code with user privileges, potentially installing malware, stealing documents, or establishing persistence on the system.

🟢

If Mitigated

Attack fails due to proper controls, potentially causing application crash but no code execution.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction but is technically straightforward once a malicious GIF is crafted. ZDI has confirmed the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in provided references

Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-926/

Restart Required: Yes

Instructions:

1. Check Kofax website for security updates
2. Download latest version of Power PDF
3. Install update
4. Restart system

🔧 Temporary Workarounds

Disable GIF file association

windows

Prevent Power PDF from automatically opening GIF files

Control Panel > Default Programs > Associate a file type or protocol with a program > Change .gif association to another application

Block GIF files at perimeter

all

Prevent malicious GIF files from reaching users

🧯 If You Can't Patch

Implement application whitelisting to prevent unauthorized code execution
Use email filtering to block GIF attachments from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Power PDF version against vendor's patched version list

Check Version:

Open Power PDF > Help > About

Verify Fix Applied:

Verify Power PDF version is updated to latest release

📡 Detection & Monitoring

Log Indicators:

Power PDF crashes when processing GIF files
Unexpected child processes spawned from Power PDF

Network Indicators:

Downloads of GIF files followed by unusual outbound connections

SIEM Query:

Process Creation where Parent Process contains 'PowerPDF' AND Command Line contains unusual parameters

📊 Metadata

CVE ID: CVE-2023-37331

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: May 3, 2024

Last Updated: August 7, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-23-926/ Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-926/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37331, you might also want to check these: