CVE-2025-66494
📋 TL;DR
A use-after-free vulnerability in Foxit PDF Reader's PDF parsing allows remote code execution when opening malicious PDF files. This affects Windows users running vulnerable versions of Foxit PDF Reader. Attackers could exploit this by tricking users into opening specially crafted PDF documents.
💻 Affected Systems
- Foxit PDF Reader
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains full control of the victim's system through arbitrary code execution with the user's privileges.
Likely Case
Malicious actor delivers weaponized PDF via email or web download, compromising the target system for data theft or further network penetration.
If Mitigated
With proper controls like application whitelisting and least privilege, impact is limited to the user's context without lateral movement.
🎯 Exploit Status
Exploitation requires user interaction to open malicious PDF. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.2.1, 14.0.1, or 13.2.1 depending on installed version
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: No
Instructions:
1. Open Foxit PDF Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Alternatively, download and install fixed version from Foxit website.
🔧 Temporary Workarounds
Disable JavaScript in Foxit
windowsPrevents JavaScript-based exploitation vectors in PDF files
Open Foxit > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'
Use Protected View
windowsOpen PDFs in sandboxed mode to limit potential damage
Open Foxit > File > Preferences > Trust Manager > Check 'Enable Safe Reading Mode'
🧯 If You Can't Patch
- Use alternative PDF readers that are not vulnerable
- Block PDF file downloads at network perimeter or email gateway
🔍 How to Verify
Check if Vulnerable:
Check Foxit version: Open Foxit > Help > About Foxit Reader. If version is before 2025.2.1, 14.0.1, or 13.2.1, system is vulnerable.Check Version:
wmic product where "name like 'Foxit%Reader%'" get versionVerify Fix Applied:
Verify installed version is 2025.2.1, 14.0.1, or 13.2.1 or later via Help > About Foxit Reader.📡 Detection & Monitoring
Log Indicators:
- Foxit Reader crash logs with memory access violations
- Unexpected child processes spawned from Foxit Reader
Network Indicators:
- PDF downloads from suspicious sources
- Outbound connections from Foxit Reader process
SIEM Query:
process_name:"FoxitReader.exe" AND (event_id:1000 OR event_id:1001) AND exception_code:0xc0000005