CVE-2024-12753
📋 TL;DR
This vulnerability in Foxit PDF Reader allows local attackers to escalate privileges from low-privileged user accounts to SYSTEM level by exploiting a flaw in the installer through junction manipulation. It affects users running vulnerable versions of Foxit PDF Reader on Windows systems where an attacker already has initial access.
💻 Affected Systems
- Foxit PDF Reader
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and full control over the affected system.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper privilege separation and endpoint protection are in place, though local attackers could still gain elevated access.
🎯 Exploit Status
Exploitation requires local access and ability to create junctions. The vulnerability was discovered by Zero Day Initiative (ZDI-CAN-25408).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.4.0.26337 or later
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: Yes
Instructions:
1. Download latest version from Foxit website. 2. Uninstall current version. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Restrict installer permissions
windowsLimit user permissions to prevent junction creation in installer directories
icacls "C:\Program Files\Foxit Software\Foxit PDF Reader" /deny Users:(OI)(CI)(DE,DC)
Use application control
windowsImplement application whitelisting to prevent unauthorized installer execution
🧯 If You Can't Patch
- Implement least privilege principles to limit local user permissions
- Deploy endpoint detection and response (EDR) to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Foxit PDF Reader version in Help > About. If version is below 2024.4.0.26337, system is vulnerable.Check Version:
wmic product where name="Foxit PDF Reader" get versionVerify Fix Applied:
Verify version is 2024.4.0.26337 or higher in Help > About after update.📡 Detection & Monitoring
Log Indicators:
- Unusual installer activity, junction creation events, privilege escalation attempts
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4688 AND ProcessName LIKE '%foxit%' AND NewProcessName LIKE '%installer%'