CVE-2025-55310
📋 TL;DR
This vulnerability allows attackers who can modify or replace static HTML files used by Foxit PDF's StartPage feature to inject malicious content that loads automatically when the application starts. This affects Foxit PDF and Editor users on Windows and macOS with vulnerable versions. Successful exploitation could lead to information disclosure or unauthorized data access.
💻 Affected Systems
- Foxit PDF Reader
- Foxit PDF Editor
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through malicious code execution, credential theft, and lateral movement within the network.
Likely Case
Information disclosure through malicious scripts capturing user data or system information when Foxit PDF starts.
If Mitigated
Limited impact with proper file integrity monitoring and restricted file permissions preventing HTML file modification.
🎯 Exploit Status
Exploitation requires write access to Foxit installation directory or ability to replace HTML files through other means.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.2 or 2025.2
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: Yes
Instructions:
1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify version in Help > About.
🔧 Temporary Workarounds
Disable StartPage Feature
allPrevents loading of potentially malicious HTML content on application startup
Open Foxit > File > Preferences > General > Uncheck 'Show StartPage on startup'
Restrict File Permissions
windowsPrevent unauthorized modification of HTML files in Foxit installation directory
icacls "C:\Program Files\Foxit Software\Foxit PDF Reader\StartPage" /deny Users:(W)
chmod 755 /Applications/Foxit*.app/Contents/Resources/StartPage
🧯 If You Can't Patch
- Implement strict file integrity monitoring on Foxit installation directories
- Use application whitelisting to prevent execution of modified Foxit binaries
🔍 How to Verify
Check if Vulnerable:
Check Foxit version in Help > About. If version is below 13.2 (for older versions) or below 2025.2 (for 2025 versions), system is vulnerable.Check Version:
On Windows: wmic product where name="Foxit PDF Reader" get version. On macOS: mdls -name kMDItemVersion /Applications/Foxit*.appVerify Fix Applied:
Confirm version is 13.2 or higher (or 2025.2 or higher for 2025 versions) in Help > About.📡 Detection & Monitoring
Log Indicators:
- Unexpected file modifications in Foxit installation directories
- Process creation events from modified Foxit executables
Network Indicators:
- Unusual outbound connections from Foxit process shortly after startup
SIEM Query:
EventID=4663 OR EventID=4656 AND ObjectName LIKE "%Foxit%StartPage%" AND AccessMask=0x2