Login Sign Up

CVE-2024-30355

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit PDF Reader allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files. The flaw exists in how AcroForms handle Doc objects, enabling out-of-bounds writes that can lead to remote code execution. All users running vulnerable versions of Foxit PDF Reader are affected.

💻 Affected Systems

Products:
  • Foxit PDF Reader
Versions: Versions prior to 2024.1
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. Requires user interaction to open malicious PDF.

📦 What is this software?

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malicious actor gains control of the user's system through crafted PDF files, enabling credential theft, surveillance, or malware installation.

🟢

If Mitigated

Limited impact with proper security controls - user may experience application crash but no code execution.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction but no authentication. ZDI has confirmed the vulnerability exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.1 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader
2. Go to Help > Check for Updates
3. Follow prompts to install version 2024.1 or later
4. Restart the application

🔧 Temporary Workarounds

Disable JavaScript in Foxit

all

Prevents JavaScript execution which may be used in exploitation chain

Open Foxit > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

all

Open PDFs in restricted mode to limit potential damage

Open Foxit > File > Preferences > Trust Manager > Check 'Enable Protected View'

🧯 If You Can't Patch

  • Use alternative PDF readers temporarily
  • Block PDF downloads from untrusted sources via web proxy

🔍 How to Verify

Check if Vulnerable:

Check Foxit version in Help > About. If version is below 2024.1, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit PDF Reader" get version

Verify Fix Applied:

Verify version is 2024.1 or higher in Help > About.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes from FoxitPDFReader.exe
  • Unusual process spawning from Foxit
  • Memory access violation errors

Network Indicators:

  • Downloads of PDF files from suspicious sources
  • Outbound connections after PDF opening

SIEM Query:

process_name:"FoxitPDFReader.exe" AND (event_id:1000 OR event_id:1001) OR process_parent_name:"FoxitPDFReader.exe"

📊 Metadata

CVE ID: CVE-2024-30355
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: April 2, 2024
Last Updated: August 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-30355, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)