CVE-2025-66522
📋 TL;DR
A stored cross-site scripting vulnerability in Foxit PDF Editor Cloud allows attackers to inject malicious scripts into the Digital IDs Common Name field. When users view affected PDFs or access the Digital IDs dialog, the scripts execute in their browser context. This affects all users of Foxit PDF Editor Cloud who process PDFs with Digital IDs.
💻 Affected Systems
- Foxit PDF Editor Cloud
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as the victim user, redirect to malicious sites, or install malware through drive-by downloads.
Likely Case
Session hijacking, credential theft, or unauthorized actions within the Foxit Cloud application using the victim's permissions.
If Mitigated
Limited impact if proper content security policies are enforced and user sessions have short timeouts with strict validation.
🎯 Exploit Status
Exploitation requires the attacker to create or modify a PDF with malicious Digital ID content and convince the victim to open it in Foxit PDF Editor Cloud.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific version
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: No
Instructions:
1. Visit Foxit security bulletins page. 2. Identify the patch for CVE-2025-66522. 3. Apply the cloud service update as per Foxit instructions. 4. Verify the fix by testing Digital IDs functionality.
🔧 Temporary Workarounds
Disable Digital IDs functionality
allTemporarily disable or restrict access to Digital IDs features in Foxit PDF Editor Cloud
Implement Content Security Policy
allAdd strict CSP headers to prevent script execution from untrusted sources
Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Implement web application firewall rules to block malicious script patterns in Digital ID fields
- Educate users to avoid opening PDFs from untrusted sources in Foxit PDF Editor Cloud
🔍 How to Verify
Check if Vulnerable:
Test by creating a Digital ID with <script>alert('XSS')</script> in Common Name field and checking if script executes when viewing PDFCheck Version:
Check Foxit Cloud interface for version information or contact Foxit supportVerify Fix Applied:
Repeat the vulnerability test after patch - script should be properly encoded and not execute📡 Detection & Monitoring
Log Indicators:
- Unusual Digital ID creation/modification patterns
- Multiple failed script execution attempts in web logs
Network Indicators:
- Outbound connections to suspicious domains after PDF viewing
- Unusual data exfiltration patterns
SIEM Query:
source="foxit-cloud" AND (event="digital_id_created" OR event="pdf_viewed") AND (common_name CONTAINS "<script>" OR common_name CONTAINS "javascript:")