Login Sign Up

CVE-2023-39542

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit Reader's JavaScript saveAs API allows arbitrary file creation when a user opens a malicious PDF file or visits a malicious website with the browser plugin enabled. Successful exploitation can lead to remote code execution on the victim's system. All users of Foxit Reader 12.1.3.15356 are affected.

💻 Affected Systems

Products:
  • Foxit Reader
Versions: 12.1.3.15356
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Browser plugin must be enabled for web-based exploitation; file-based exploitation works with default PDF reader configuration.

📦 What is this software?

Foxit Reader by Foxitsoftware

View all CVEs affecting Foxit Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the victim's machine, data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local file system manipulation leading to malware installation, credential theft, or persistence mechanisms being established on the compromised system.

🟢

If Mitigated

Limited impact with proper application sandboxing, file system restrictions, and user awareness preventing malicious file execution.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (opening malicious file or visiting malicious site). No authentication required for the vulnerability itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.2.0 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Download latest Foxit Reader from official website. 2. Run installer. 3. Restart system. 4. Verify version is 12.2.0 or higher.

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents JavaScript execution in PDF files, mitigating the vulnerability

Open Foxit Reader > File > Preferences > Trust Manager > Uncheck 'Enable JavaScript'

Disable Browser Plugin

all

Prevents web-based exploitation through malicious websites

Browser settings > Extensions/Add-ons > Disable Foxit Reader plugin

🧯 If You Can't Patch

  • Use alternative PDF reader software
  • Implement application whitelisting to block Foxit Reader execution

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version in Help > About. If version is 12.1.3.15356, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 12.2.0 or higher in Help > About. Test with known safe PDF files containing JavaScript.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file creation events in system logs
  • Foxit Reader process spawning unexpected child processes
  • JavaScript execution errors in application logs

Network Indicators:

  • Unexpected outbound connections from Foxit Reader process
  • Downloads of suspicious PDF files

SIEM Query:

process_name:"FoxitReader.exe" AND (child_process:* OR file_create:* OR network_connection:*)

📊 Metadata

CVE ID: CVE-2023-39542
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-73
Published: November 27, 2023
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39542, you might also want to check these:

CVE-2026-27211 10.0

Cloud Hypervisor versions 34.0 through 50.0 are vulnerable to host file exfiltration when using virt...

Same vulnerability type (CWE-73)
CVE-2024-55371 9.8

Wallos versions up to 2.38.2 contain a file upload vulnerability in the restore backup function that...

Same vulnerability type (CWE-73)
CVE-2025-29708 9.8

SourceCodester Company Website CMS 1.0 contains an unauthenticated file upload vulnerability in the ...

Same vulnerability type (CWE-73)