CVE-2024-25575

HIGH

Foxit Reader 2024.1.0.23997 - RCE

Title source: llm

Description

A type confusion vulnerability vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a Lock object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

References (2)

[Exploit, Third Party Advisory] https://talosintelligence.com/vulnerability_reports/TALOS-2024-1963

[Third Party Advisory] https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1963

Scores

CVSS v3 8.8

EPSS 0.0355

EPSS Percentile 87.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-843

Status published

Products (3)

foxit/pdf_editor 2024.1.0.23997

foxit/pdf_editor < 11.2.8.53842

foxit/pdf_reader 2024.1.0.23997

Published Apr 30, 2024

Tracked Since Feb 18, 2026