CVE-2018-9958

HIGH

Foxit Reader and PhantomPDF < 9.0.1.1049 - Remote Code Execution via Text Annotation Point Attribute

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2018-9958. PoCs published by Metasploit, mr_me, CrossWire, including Metasploit module exploits/windows/fileformat/foxit_reader_uaf.

AI-analyzed exploit summary This Metasploit module exploits a Use-After-Free (UAF) vulnerability in Foxit PDF Reader v9.0.1.1049, combining it with an uninitialized pointer issue to leak memory addresses and execute a ROP chain for arbitrary code execution.

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Text Annotations. When setting the point attribute, the process does not properly validate the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5620.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/45269

This Metasploit module exploits a Use-After-Free (UAF) vulnerability in Foxit PDF Reader v9.0.1.1049, combining it with an uninitialized pointer issue to leak memory addresses and execute a ROP chain for arbitrary code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Foxit PDF Reader v9.0.1.1049
No auth needed
Prerequisites: Victim must open the malicious PDF file in Foxit PDF Reader v9.0.1.1049
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by mr_me · textremotewindows
https://www.exploit-db.com/exploits/44941

This exploit leverages CVE-2018-9958 and CVE-2018-9948 to achieve remote code execution in Foxit Reader 9.0.1.1049 via a use-after-free vulnerability and information disclosure. It uses heap manipulation and ROP chains to execute arbitrary code (e.g., calc.exe).

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Foxit Reader 9.0.1.1049
No auth needed
Prerequisites: Victim must open the malicious PDF file in Foxit Reader 9.0.1.1049
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by CrossWire · pythonlocalwindows
https://www.exploit-db.com/exploits/49116

This exploit leverages a use-after-free vulnerability in Foxit Reader 9.0.1.1049 to achieve arbitrary code execution via a crafted PDF file. It employs heap manipulation and ROP chains to execute a specified binary path.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Foxit Reader 9.0.1.1049
No auth needed
Prerequisites: Foxit Reader 9.0.1.1049 installed on Windows · Victim must open the malicious PDF
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by mr_me, bit from meepwn, saelo, Jacob Robles · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/foxit_reader_uaf.rb

This Metasploit module exploits a Use-After-Free (UAF) vulnerability in Foxit PDF Reader v9.0.1.1049, combining it with an uninitialized pointer issue to leak memory addresses and execute a ROP chain for remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Unknown
Target: Foxit PDF Reader v9.0.1.1049
No auth needed
Prerequisites: Windows 7 x64, Windows 10 Pro x64 Build 17134, or Windows 10 Enterprise x64 with insecure logons enabled
devstral-2 · analyzed Mar 02, 2026 Full analysis →

References (5)

Core 5
Core References
Patch, Vendor Advisory x_refsource_confirm
https://www.foxitsoftware.com/support/security-bulletins.php
Third Party Advisory, VDB Entry x_refsource_misc
https://zerodayinitiative.com/advisories/ZDI-18-342
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44941/
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45269/

Scores

CVSS v3 8.8
EPSS 0.8646
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (2)
foxitsoftware/foxit_reader < 9.0.1.1049
foxitsoftware/phantompdf < 9.0.1.1049
Published May 17, 2018
Tracked Since Feb 18, 2026