Login Sign Up

CVE-2024-25858

8.4 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit PDF Reader and Editor allows remote code execution through malicious JavaScript embedded in PDF files. Attackers can exploit an unoptimized prompt message to execute arbitrary code on affected systems. Users running Foxit PDF Reader before 2024.1 or PDF Editor before 2024.1 are vulnerable.

💻 Affected Systems

Products:
  • Foxit PDF Reader
  • Foxit PDF Editor
Versions: All versions before 2024.1
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: JavaScript execution is typically enabled by default in Foxit products, making most installations vulnerable without configuration changes.

📦 What is this software?

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the victim's computer, enabling data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Malware installation leading to data exfiltration, credential theft, or system disruption through malicious PDF files delivered via email or web downloads.

🟢

If Mitigated

Limited impact with proper application sandboxing, JavaScript disabled in PDF readers, and user awareness preventing malicious file execution.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction to open a malicious PDF file, but no authentication is needed once the file is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.1

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader/Editor. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 2024.1 or later. 4. Restart the application after installation completes.

🔧 Temporary Workarounds

Disable JavaScript in Foxit

all

Prevents JavaScript execution in PDF files, blocking the attack vector

Open Foxit > File > Preferences > Security > Uncheck 'Enable JavaScript'

Use Alternative PDF Reader

all

Temporarily switch to a different PDF reader that isn't affected

🧯 If You Can't Patch

  • Implement application whitelisting to block unauthorized executables
  • Deploy network filtering to block PDF downloads from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Foxit version: Open Foxit > Help > About. If version is below 2024.1, you are vulnerable.

Check Version:

On Windows: wmic product where name="Foxit PDF Reader" get version

Verify Fix Applied:

Confirm version is 2024.1 or higher in Help > About, then verify JavaScript settings in Preferences > Security.

📡 Detection & Monitoring

Log Indicators:

  • Foxit process spawning unexpected child processes
  • JavaScript execution errors in Foxit logs
  • Multiple PDF file openings from unusual sources

Network Indicators:

  • PDF downloads from suspicious domains
  • Outbound connections from Foxit process to unknown IPs

SIEM Query:

process_name:"Foxit*.exe" AND (parent_process:cmd.exe OR child_process:powershell.exe)

📊 Metadata

CVE ID: CVE-2024-25858
CVSS v3 Score: 8.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-450
Published: March 5, 2024
Last Updated: May 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON