CVE-2011-10030

HIGH

Foxit PDF Reader < 4.3.1.0218 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-10030. PoCs published by Metasploit, bannedit, Chris Evans, including Metasploit module exploits/windows/fileformat/foxit_reader_filewrite.

AI-analyzed exploit summary This exploit leverages an unsafe JavaScript API in Foxit PDF Reader 4.2 to write arbitrary files to the filesystem, achieving remote code execution by dropping a payload in the Startup folder. It uses base64-encoded payloads and a VBS decoder to execute the final executable.

Description

Foxit PDF Reader < 4.3.1.0218 exposes a JavaScript API function, createDataObject(), that allows untrusted PDF content to write arbitrary files anywhere on disk. By embedding a malicious PDF that calls this API, an attacker can drop executables or scripts into privileged folders, leading to code execution the next time the system boots or the user logs in.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows

https://www.exploit-db.com/exploits/16978

View Code ZIP pw:eip

This exploit leverages an unsafe JavaScript API in Foxit PDF Reader 4.2 to write arbitrary files to the filesystem, achieving remote code execution by dropping a payload in the Startup folder. It uses base64-encoded payloads and a VBS decoder to execute the final executable.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Foxit PDF Reader 4.2

No auth needed

Prerequisites: Victim must open the malicious PDF file · Administrative privileges required for writing to the All Users Startup folder

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059.005 - Visual Basic

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by bannedit, Chris Evans · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb

View Code ZIP pw:eip

This Metasploit module exploits an unsafe JavaScript API in Foxit PDF Reader 4.2, allowing arbitrary file writes via the createDataObject() function. It writes a base64-encoded payload and a decoder script to the Windows Temp directory, achieving remote code execution when an administrative user opens the malicious PDF.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Foxit PDF Reader v4.2

No auth needed

Prerequisites: Administrative privileges to write to the All Users directory · Victim must open the malicious PDF file

MITRE ATT&CK

T1204.002 - Malicious File T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Various Sources

https://scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/16978

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb

Various Sources technical-description exploit

http://scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html

Various Sources vendor-advisory patch

https://www.foxit.com/pdf-reader/version-history.html

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/foxit-pdf-reader-javascript-file-write

Scores

CVSS v4 8.4

EPSS 0.0035

EPSS Percentile 26.9%

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-73

Status published

Products (1)

Foxit Software/Foxit PDF Reader < 4.3.1.0218

Published Aug 20, 2025

Tracked Since Feb 18, 2026