CVE-2025-66495
📋 TL;DR
A use-after-free vulnerability in Foxit PDF Reader's annotation handling allows remote code execution when opening malicious PDF files containing crafted JavaScript. This affects Windows and MacOS users running vulnerable versions of Foxit PDF Reader. Attackers could exploit this to take control of affected systems.
💻 Affected Systems
- Foxit PDF Reader
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains full system control through arbitrary code execution, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Targeted attacks against organizations using spear-phishing with malicious PDF attachments, resulting in initial access and potential privilege escalation.
If Mitigated
Limited impact with proper application whitelisting, network segmentation, and user awareness training preventing successful exploitation.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious PDF file. JavaScript execution is necessary for the vulnerability to trigger.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.2.1, 14.0.1, or 13.2.1 depending on product line
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: Yes
Instructions:
1. Open Foxit PDF Reader
2. Go to Help > Check for Updates
3. Follow prompts to install latest version
4. Restart computer after installation
🔧 Temporary Workarounds
Disable JavaScript in Foxit Reader
windowsPrevents JavaScript execution in PDF files, which blocks exploitation of this vulnerability
Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'
Use alternative PDF viewer
allTemporarily use built-in PDF viewers or other applications until patching is complete
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized PDF readers
- Deploy network segmentation to limit lateral movement from compromised systems
🔍 How to Verify
Check if Vulnerable:
Check Foxit Reader version in Help > About. If version is below 2025.2.1, 14.0.1, or 13.2.1, system is vulnerable.Check Version:
On Windows: wmic product where name="Foxit Reader" get versionVerify Fix Applied:
Verify version is 2025.2.1, 14.0.1, or 13.2.1 or higher in Help > About.📡 Detection & Monitoring
Log Indicators:
- Foxit Reader crash logs with memory access violations
- Windows Event Logs showing Foxit process termination with exception codes
Network Indicators:
- Unusual outbound connections from Foxit Reader process
- PDF file downloads from suspicious sources
SIEM Query:
process_name:"FoxitReader.exe" AND (event_id:1000 OR exception_code:0xc0000005)