CVE-2024-9735
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious JPF files in Tungsten Automation Power PDF. The flaw exists in JPF file parsing where improper data validation leads to out-of-bounds writes. All users of affected Power PDF versions are at risk.
💻 Affected Systems
- Tungsten Automation Power PDF
📦 What is this software?
Power Pdf by Tungstenautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's computer, data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Malware installation, data exfiltration, or system disruption through crafted JPF files sent via email or downloaded from malicious websites.
If Mitigated
Limited impact with proper application sandboxing, user awareness training preventing malicious file opens, and endpoint protection blocking exploitation attempts.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). ZDI has confirmed the vulnerability but no public exploit available yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Tungsten Automation security advisory for specific patched version
Vendor Advisory: https://www.tungstenautomation.com/security
Restart Required: Yes
Instructions:
1. Check current Power PDF version
2. Visit Tungsten Automation security advisory page
3. Download and install latest security update
4. Restart system if prompted
5. Verify update applied successfully
🔧 Temporary Workarounds
Disable JPF file association
windowsRemove JPF file type association with Power PDF to prevent automatic opening
Control Panel > Default Programs > Associate a file type or protocol with a program > Remove .jpf association with Power PDF
Application control policy
windowsBlock Power PDF from executing untrusted JPF files via application control
🧯 If You Can't Patch
- Implement strict email filtering to block JPF attachments
- Deploy endpoint detection and response (EDR) to monitor for exploitation attempts
- Educate users not to open JPF files from untrusted sources
- Consider disabling Power PDF entirely if not business-critical
🔍 How to Verify
Check if Vulnerable:
Check Power PDF version against vendor advisory. If using affected version and JPF parsing enabled, system is vulnerable.Check Version:
Open Power PDF > Help > About Power PDFVerify Fix Applied:
Verify Power PDF version matches or exceeds patched version specified in vendor advisory. Test with known safe JPF files.📡 Detection & Monitoring
Log Indicators:
- Power PDF crash logs with memory access violations
- Unexpected Power PDF process spawning child processes
- JPF file opens followed by unusual system activity
Network Indicators:
- Outbound connections from Power PDF process to unknown IPs
- Unusual data exfiltration patterns after JPF file access
SIEM Query:
process_name:"PowerPDF.exe" AND (event_id:1000 OR event_id:1001) AND file_extension:".jpf"