CVE-2017-7442

HIGH

Nitro Pro 11.0.3.173 - Remote Code Execution via Directory Traversal in saveAs and launchURL

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-7442. PoCs published by Metasploit, including Metasploit module exploits/windows/fileformat/nitro_reader_jsapi.

AI-analyzed exploit summary This Metasploit module exploits CVE-2017-7442 in Nitro Pro PDF Reader 11.0.3.173 by leveraging unsafe JavaScript APIs (saveAs and launchURL) to write arbitrary files and execute them, achieving remote code execution.

Description

Nitro Pro 11.0.3.173 allows remote attackers to execute arbitrary code via saveAs and launchURL calls with directory traversal sequences.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/42418

This Metasploit module exploits CVE-2017-7442 in Nitro Pro PDF Reader 11.0.3.173 by leveraging unsafe JavaScript APIs (saveAs and launchURL) to write arbitrary files and execute them, achieving remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nitro Pro PDF Reader 11.0.3.173
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/nitro_reader_jsapi.rb

This Metasploit module exploits an unsafe JavaScript API in Nitro Pro PDF Reader 11.0.3.173, allowing arbitrary file writes via saveAs() and local file execution via launchURL() to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nitro Pro PDF Reader 11.0.3.173
No auth needed
Prerequisites: Victim must open a malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
http://srcincite.io/advisories/src-2017-0005/
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42418/

Scores

CVSS v3 8.8
EPSS 0.7030
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (1)
gonitro/nitro_pro 11.0.3.173
Published Aug 03, 2017
Tracked Since Feb 18, 2026