CVE-2024-30336 – This is a use-after-free vulnerability in Foxit... (How to Fix)

Q: What is the severity of CVE-2024-30336?

CVE-2024-30336 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in Foxit PDF Reader's AcroForm handling that allows remote attackers to execute arbitrary code when a user opens a malicious PDF file. Attackers can gain control of the current process, potentially leading to full system compromise. All users running vulnerable versions of Foxit PDF Reader are affected.

📋 TL;DR

This is a use-after-free vulnerability in Foxit PDF Reader's AcroForm handling that allows remote attackers to execute arbitrary code when a user opens a malicious PDF file. Attackers can gain control of the current process, potentially leading to full system compromise. All users running vulnerable versions of Foxit PDF Reader are affected.

💻 Affected Systems

Products:

Foxit PDF Reader

Versions: Versions prior to 2024.1

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The vulnerability affects the core PDF rendering engine and cannot be disabled via configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with attacker gaining the same privileges as the user running Foxit PDF Reader, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malicious code execution in the context of the current user, allowing data exfiltration, installation of additional malware, or credential theft.

🟢

If Mitigated

Limited impact with proper application sandboxing and least privilege principles, potentially contained to the PDF reader process.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (opening a malicious PDF) but no authentication. The vulnerability is in a widely used component and follows typical use-after-free exploitation patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.1 and later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: No

Instructions:

1. Open Foxit PDF Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 2024.1 or later. 4. Alternatively, download and install the latest version from Foxit's official website.

🔧 Temporary Workarounds

Disable JavaScript in Foxit PDF Reader

all

Prevents JavaScript-based exploitation vectors that might be used to trigger this vulnerability

Open Foxit PDF Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

all

Opens PDFs in a restricted mode that may prevent exploitation

Open Foxit PDF Reader > File > Preferences > Trust Manager > Check 'Enable Safe Reading Mode'

🧯 If You Can't Patch

Use alternative PDF readers that are not vulnerable to this specific CVE
Implement application whitelisting to block execution of Foxit PDF Reader

🔍 How to Verify

Check if Vulnerable:

Check Foxit PDF Reader version: Open Foxit > Help > About Foxit PDF Reader. If version is below 2024.1, the system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit PDF Reader" get version

Verify Fix Applied:

Verify version is 2024.1 or later in Help > About Foxit PDF Reader. Test opening known safe PDF files to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Unexpected Foxit PDF Reader process crashes
Multiple PDF file openings from unusual sources
Process creation from Foxit PDF Reader to suspicious locations

Network Indicators:

Outbound connections from Foxit PDF Reader process to unknown IPs
DNS requests for suspicious domains following PDF opening

SIEM Query:

process_name:"FoxitPDFReader.exe" AND (event_id:1000 OR event_id:1001) | where process_version < "2024.1"

📊 Metadata

CVE ID: CVE-2024-30336

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: April 2, 2024

Last Updated: August 7, 2025

🔗 References

https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-303/ Third Party Advisory
https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-303/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-30336, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Reader by Foxit

Pdf Reader by Foxit

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable JavaScript in Foxit PDF Reader

Use Protected View

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities