CVE-2025-59802
📋 TL;DR
This vulnerability in Foxit PDF Editor and Reader allows attackers to modify the visual content of digitally signed PDFs without invalidating the signature. By exploiting Optional Content Groups (OCG) that aren't included in signature computations, attackers can change what users see after signing. This affects all users who rely on Foxit's digital signature verification for document integrity.
💻 Affected Systems
- Foxit PDF Editor
- Foxit PDF Reader
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify critical contract terms, financial amounts, or legal clauses in signed documents while signatures remain valid, leading to fraud, legal disputes, or unauthorized transactions.
Likely Case
Malicious actors could subtly alter document content to mislead recipients about signed agreements, potentially enabling phishing, misinformation, or minor fraud.
If Mitigated
With proper controls, organizations could detect anomalous PDF behavior through monitoring, though signature verification would still appear valid.
🎯 Exploit Status
Exploitation requires crafting malicious PDFs with OCG and JavaScript/triggers; attackers need to deliver PDFs to targets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.2.1, 14.0.1, or 13.2.1
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: Yes
Instructions:
1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify version in Help > About.
🔧 Temporary Workarounds
Disable JavaScript in Foxit
allPrevents JavaScript-based OCG manipulation triggers
Open Foxit > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'
Use alternative PDF viewer for signed documents
allTemporarily use unaffected PDF software for signature verification
🧯 If You Can't Patch
- Implement strict PDF attachment filtering and sandboxing for all incoming documents
- Train users to verify document integrity through secondary channels when signatures are critical
🔍 How to Verify
Check if Vulnerable:
Check Foxit version in Help > About; if below 2025.2.1, 14.0.1, or 13.2.1, you're vulnerable.Check Version:
On Windows: wmic product where name="Foxit PDF Editor" get versionVerify Fix Applied:
Confirm version shows 2025.2.1, 14.0.1, or 13.2.1 in Help > About.📡 Detection & Monitoring
Log Indicators:
- Multiple PDF signature verification events from same document
- Foxit JavaScript execution errors
Network Indicators:
- Unusual PDF downloads from untrusted sources
SIEM Query:
source="foxit" AND (event="javascript_execution" OR event="signature_verification")