CVE-2023-27363

HIGH

Foxit PDF Reader < 12.1.1.15289 and PDF Editor < 10.1.11.37866 - Remote Code Execution via exportXFAData Method

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2023-27363. PoCs published by webraybtl, qwqdanchun, CN016.

AI-analyzed exploit summary This repository contains a technical analysis and reproduction of the Foxit PDF remote code execution vulnerability CVE-2023-27363. The README provides a disclaimer and context but lacks actual exploit code or detailed technical breakdown.

Description

Foxit PDF Reader exportXFAData Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the exportXFAData method. The application exposes a JavaScript interface that allows writing arbitrary files. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-19697.

Exploits (3)

nomisec WRITEUP 11 stars

by webraybtl · poc

https://github.com/webraybtl/CVE-2023-27363

View Code ZIP pw:eip

This repository contains a technical analysis and reproduction of the Foxit PDF remote code execution vulnerability CVE-2023-27363. The README provides a disclaimer and context but lacks actual exploit code or detailed technical breakdown.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Foxit PDF Reader

No auth needed

Prerequisites: Vulnerable version of Foxit PDF Reader · Crafted malicious PDF file

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by qwqdanchun · poc

https://github.com/qwqdanchun/CVE-2023-27363

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-27363, which leverages a vulnerability in PDF processing libraries (Syncfusion/Aspose) to embed malicious JScript code in XFA forms. The GUI application generates a weaponized PDF that executes arbitrary commands when opened.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Syncfusion PDF Library / Aspose.PDF (versions affected by CVE-2023-27363)

No auth needed

Prerequisites: Victim must open the generated PDF file · Target system must have vulnerable PDF library installed

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec NO CODE 1 stars

by CN016 · poc

https://github.com/CN016/-Foxit-PDF-CVE-2023-27363-

View Code ZIP pw:eip

References (2)

Core 2

Core References

Third Party Advisory x_research-advisory

https://www.zerodayinitiative.com/advisories/ZDI-23-491/

Vendor Advisory vendor-advisory

https://www.foxit.com/support/security-bulletins.html

Scores

CVSS v3 7.8

EPSS 0.4699

EPSS Percentile 98.7%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-749

Status published

Products (2)

foxit/pdf_editor < 10.1.11.37866

foxit/pdf_reader < 12.1.1.15289

Published May 03, 2024

Tracked Since Feb 18, 2026