CVE-2025-9330
📋 TL;DR
This vulnerability in Foxit PDF Reader's Update Service allows local attackers to escalate privileges by loading a malicious library from an unsecured location. Attackers who already have low-privileged code execution can exploit this to gain SYSTEM-level access. All Foxit PDF Reader installations with the vulnerable Update Service are affected.
💻 Affected Systems
- Foxit PDF Reader
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation from standard user to SYSTEM, allowing attackers to bypass security controls, install additional malware, or maintain persistence.
If Mitigated
Limited impact if proper privilege separation and application control policies prevent unauthorized code execution and library loading.
🎯 Exploit Status
Exploitation requires local access and ability to execute low-privileged code first. The DLL hijacking technique is well-understood and relatively easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Foxit security bulletin for specific patched version
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: Yes
Instructions:
1. Visit Foxit security bulletins page 2. Download and install the latest Foxit PDF Reader version 3. Restart the system to ensure update service is patched
🔧 Temporary Workarounds
Disable Foxit Update Service
windowsPrevent the vulnerable service from running
sc stop FoxitReaderUpdateService
sc config FoxitReaderUpdateService start= disabled
Remove write permissions from Foxit directories
windowsPrevent DLL planting in Foxit directories
icacls "C:\Program Files\Foxit Software\Foxit PDF Reader\" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement application control policies to prevent execution of unauthorized binaries
- Use privilege management tools to restrict standard users from writing to Foxit installation directories
🔍 How to Verify
Check if Vulnerable:
Check Foxit Reader version against vendor advisory. Verify FoxitReaderUpdateService is running via 'sc query FoxitReaderUpdateService'Check Version:
Check Help > About in Foxit Reader or examine file properties of FoxitReader.exeVerify Fix Applied:
Verify installed Foxit version matches patched version from advisory. Confirm FoxitReaderUpdateService is either updated or disabled.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loads by FoxitReaderUpdateService.exe
- Process creation events showing FoxitReaderUpdateService spawning unexpected child processes
- File creation events in Foxit installation directories from non-admin users
Network Indicators:
- Unusual outbound connections from FoxitReaderUpdateService.exe
SIEM Query:
Process Creation where Image contains 'FoxitReaderUpdateService' and CommandLine contains unusual arguments