CVE-2023-38117
📋 TL;DR
This is a use-after-free vulnerability in Foxit PDF Reader's AcroForm Doc object handling that allows remote attackers to execute arbitrary code. Attackers can exploit it by tricking users into opening malicious PDF files or visiting malicious web pages. All users running vulnerable versions of Foxit PDF Reader are affected.
💻 Affected Systems
- Foxit PDF Reader
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's computer, enabling data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Malware installation leading to data exfiltration, credential theft, or system disruption for individual users who open malicious PDFs.
If Mitigated
Limited impact with only the PDF reader process affected if sandboxing is enabled, though sandbox escape may still be possible.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) but no authentication. The vulnerability is well-documented and weaponization is likely given the CVSS score and RCE nature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.1.3 and later
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: Yes
Instructions:
1. Open Foxit PDF Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 12.1.3 or later. 4. Restart the application.
🔧 Temporary Workarounds
Disable JavaScript in Foxit Reader
windowsPrevents JavaScript-based exploitation vectors that might trigger this vulnerability
File > Preferences > Security > Uncheck 'Enable JavaScript'
Use Protected View
windowsOpen PDFs in protected/sandboxed mode to limit potential damage
File > Preferences > General > Check 'Open documents in Protected View'
🧯 If You Can't Patch
- Temporarily switch to alternative PDF readers like Adobe Acrobat Reader or browser-based PDF viewers
- Implement application whitelisting to block Foxit Reader execution until patched
🔍 How to Verify
Check if Vulnerable:
Check Foxit Reader version via Help > About. If version is below 12.1.3, the system is vulnerable.Check Version:
wmic product where name="Foxit Reader" get versionVerify Fix Applied:
Verify version is 12.1.3 or higher in Help > About dialog.📡 Detection & Monitoring
Log Indicators:
- Foxit Reader crash logs with memory access violations
- Unexpected child processes spawned from Foxit Reader
Network Indicators:
- Outbound connections from Foxit Reader process to suspicious IPs
- DNS requests for known malicious domains after PDF opening
SIEM Query:
process_name:"FoxitReader.exe" AND (event_id:1000 OR event_id:1001) AND exception_code:0xc0000005