CVE-2024-30325 – This is a use-after-free vulnerability in Foxit... (How to Fix)

Q: What is the severity of CVE-2024-30325?

CVE-2024-30325 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in Foxit PDF Reader's AcroForm handling that allows remote attackers to execute arbitrary code when a user opens a malicious PDF file. Attackers can exploit this to gain control of the affected system with the same privileges as the current user. All users running vulnerable versions of Foxit PDF Reader are affected.

📋 TL;DR

This is a use-after-free vulnerability in Foxit PDF Reader's AcroForm handling that allows remote attackers to execute arbitrary code when a user opens a malicious PDF file. Attackers can exploit this to gain control of the affected system with the same privileges as the current user. All users running vulnerable versions of Foxit PDF Reader are affected.

💻 Affected Systems

Products:

Foxit PDF Reader

Versions: Versions prior to 2024.1

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. The vulnerability requires user interaction to open a malicious PDF file.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to malware installation, credential theft, or system disruption for the affected user account.

🟢

If Mitigated

Limited impact with proper application sandboxing and least privilege principles, potentially contained to the PDF reader process only.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (opening a malicious PDF) but no authentication. The vulnerability is actively tracked by ZDI and likely to be exploited in targeted attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.1 and later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 2024.1 or later. 4. Restart the application after installation.

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents JavaScript execution which may be used in exploitation chains

File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

all

Open PDFs in protected/sandboxed mode to limit potential damage

File > Preferences > Trust Manager > Check 'Enable Safe Reading Mode'

🧯 If You Can't Patch

Temporarily switch to alternative PDF readers like Adobe Reader or browser-based PDF viewers
Implement application whitelisting to block execution of malicious payloads

🔍 How to Verify

Check if Vulnerable:

Check Foxit PDF Reader version: Help > About Foxit Reader. If version is earlier than 2024.1, you are vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 2024.1 or later in Help > About Foxit Reader. Test opening known safe PDF files to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from FoxitReader.exe
Memory access violations in application logs
Multiple failed PDF parsing attempts

Network Indicators:

Outbound connections from Foxit Reader process to unknown IPs
DNS requests for suspicious domains following PDF opening

SIEM Query:

process_name="FoxitReader.exe" AND (parent_process="explorer.exe" OR cmdline CONTAINS "malicious.pdf")

📊 Metadata

CVE ID: CVE-2024-30325

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: April 3, 2024

Last Updated: August 11, 2025

🔗 References

https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-314/ Third Party Advisory
https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-314/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-30325, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Reader by Foxit

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

Use Protected View

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities