CVE-2023-38093 – This is a stack-based buffer overflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-38093?

CVE-2023-38093 has a CVSS score of 7.8 (HIGH). This is a stack-based buffer overflow vulnerability in Kofax Power PDF's saveAs method that allows remote code execution when users open malicious PDF files or visit malicious web pages. Attackers can exploit this to run arbitrary code with the same privileges as the PDF application user. All users of affected Kofax Power PDF versions are vulnerable.

📋 TL;DR

This is a stack-based buffer overflow vulnerability in Kofax Power PDF's saveAs method that allows remote code execution when users open malicious PDF files or visit malicious web pages. Attackers can exploit this to run arbitrary code with the same privileges as the PDF application user. All users of affected Kofax Power PDF versions are vulnerable.

💻 Affected Systems

Products:

Kofax Power PDF

Versions: Versions prior to the patched version (specific version numbers not provided in available references)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. The vulnerability exists in the core saveAs functionality.

📦 What is this software?

Power Pdf by Tungstenautomation

View all CVEs affecting Power Pdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to data exfiltration, installation of malware, or persistence mechanisms on the compromised system.

🟢

If Mitigated

Application crash or denial of service if exploit fails, with potential for limited data exposure depending on system configuration.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file/website) but PDF files are commonly shared via email and web, making initial access feasible.

🏢 Internal Only: HIGH - Internal users frequently share PDF documents, and successful exploitation could lead to lateral movement within corporate networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction but is technically straightforward once a malicious PDF is crafted. The vulnerability was discovered by Zero Day Initiative (ZDI-CAN-20604).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in available references - check Kofax advisory for specific version

Vendor Advisory: https://www.kofax.com/security/advisories (check for specific advisory)

Restart Required: Yes

Instructions:

1. Check current Kofax Power PDF version
2. Visit Kofax security advisory page
3. Download and install the latest security update
4. Restart the system to ensure patch is fully applied

🔧 Temporary Workarounds

Disable PDF file opening in Kofax Power PDF

windows

Change default PDF handler to alternative PDF reader that is not vulnerable

Windows: Control Panel > Default Programs > Set Default Programs > Choose alternative PDF reader

Application Control Policy

windows

Block execution of Kofax Power PDF via application whitelisting

🧯 If You Can't Patch

Implement network segmentation to isolate systems running vulnerable software
Deploy endpoint detection and response (EDR) solutions to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Kofax Power PDF version against patched version in vendor advisory

Check Version:

Open Kofax Power PDF > Help > About (or check installed programs in Control Panel)

Verify Fix Applied:

Verify version number after update matches or exceeds patched version specified by vendor

📡 Detection & Monitoring

Log Indicators:

Application crashes of Kofax Power PDF
Unusual process creation from PDF reader
Memory access violations in application logs

Network Indicators:

Downloads of PDF files from suspicious sources
Outbound connections from PDF application to unknown IPs

SIEM Query:

Process Creation where ParentImage contains 'powerpdf' OR Image contains 'powerpdf' AND CommandLine contains unusual parameters

📊 Metadata

CVE ID: CVE-2023-38093

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: May 3, 2024

Last Updated: August 7, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-23-967/ Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-967/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38093, you might also want to check these: