CVE-2025-13941
📋 TL;DR
A local privilege escalation vulnerability in Foxit PDF Reader/Editor Update Service allows low-privileged local attackers to modify plugin installation resources. When the service executes these resources, arbitrary code runs with SYSTEM privileges. All users running vulnerable Foxit versions are affected.
💻 Affected Systems
- Foxit PDF Reader
- Foxit PDF Editor
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence, and lateral movement.
Likely Case
Malicious insider or malware with user access escalates to SYSTEM to install backdoors, disable security controls, or steal credentials.
If Mitigated
With proper privilege separation and monitoring, impact limited to isolated systems with quick detection and containment.
🎯 Exploit Status
Exploitation requires local access but is straightforward once access is gained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Foxit security bulletin for specific patched version
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: Yes
Instructions:
1. Visit Foxit security bulletins page
2. Download latest version or security update
3. Install update
4. Restart system
🔧 Temporary Workarounds
Disable Foxit Update Service
windowsStop and disable the Foxit update service to prevent exploitation.
sc stop FoxitUpdateService
sc config FoxitUpdateService start= disabled
Restrict File Permissions
windowsSet strict ACLs on Foxit installation directories to prevent modification by low-privilege users.
icacls "C:\Program Files\Foxit Software\Foxit PDF Reader" /inheritance:r /grant "SYSTEM:(OI)(CI)F" /grant "Administrators:(OI)(CI)F"
🧯 If You Can't Patch
- Implement least privilege: Ensure no users have write access to Foxit installation directories.
- Monitor for suspicious file modifications in Foxit directories and unexpected SYSTEM privilege processes.
🔍 How to Verify
Check if Vulnerable:
Check Foxit version against patched version in security bulletin; verify if FoxitUpdateService is running with vulnerable permissions.Check Version:
In Foxit: Help > About or check program files version infoVerify Fix Applied:
Confirm installed Foxit version matches or exceeds patched version; verify file permissions on Foxit directories are restrictive.📡 Detection & Monitoring
Log Indicators:
- Unexpected file modifications in Foxit directories
- FoxitUpdateService spawning unusual processes
- Event logs showing privilege escalation to SYSTEM
Network Indicators:
- Unusual outbound connections from SYSTEM processes post-Foxit update
SIEM Query:
Process creation where parent_process_name contains 'FoxitUpdateService' and user='SYSTEM'