Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2022-24955

CVE-2022-24955: Foxit PDF Reader DLL Hijacking Vulnerability

CVE-2022-24955 is a DLL hijacking flaw in Foxit PDF Reader and Editor that allows attackers to exploit uncontrolled search paths. This article covers the technical details, affected versions, and mitigation steps.

Updated:

CVE-2022-24955 Overview

CVE-2022-24955 is an Uncontrolled Search Path Element vulnerability [CWE-427] affecting Foxit PDF Reader and Foxit PDF Editor on Windows. Versions before 11.2.1 load Dynamic Link Library (DLL) files without enforcing a controlled search path. An attacker who places a malicious DLL in a directory the application searches can achieve arbitrary code execution in the context of the user. The flaw maps to a network attack vector with no privileges or user interaction required by the scoring vector. Foxit addressed the issue in version 11.2.1 of both products.

Critical Impact

Attackers can execute arbitrary code with the privileges of the Foxit user by planting a crafted DLL along the application's search path, leading to full compromise of confidentiality, integrity, and availability.

Affected Products

  • Foxit PDF Reader before 11.2.1
  • Foxit PDF Editor before 11.2.1
  • Microsoft Windows (host platform)

Discovery Timeline

  • 2022-02-11 - CVE-2022-24955 published to the National Vulnerability Database (NVD)
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-24955

Vulnerability Analysis

The vulnerability stems from how Foxit PDF Reader and Foxit PDF Editor resolve dependent DLLs at load time. The applications search directories in a sequence that includes attacker-influenceable locations, such as the current working directory or directories on the user's PATH. When a DLL with a name matching one the application expects appears earlier in the search order than the legitimate library, Windows loads the attacker's DLL into the Foxit process. Execution then occurs inside the trusted application boundary under the user's account.

Root Cause

The root cause is improper validation of the DLL search path, classified as [CWE-427] Uncontrolled Search Path Element. The application calls LoadLibrary style imports without supplying absolute paths or using SetDefaultDllDirectories to restrict the search to known-safe locations. As a result, the Windows loader follows its default search order, which can include directories writable by a normal user.

Attack Vector

Exploitation typically requires the victim to open a PDF, installer, or shortcut from a directory containing the malicious DLL. Common delivery methods include archives that bundle a PDF alongside a sibling DLL, network shares hosting both files, or USB media. Once Foxit launches from that location, the rogue DLL loads automatically. Because the Foxit installation is widely deployed on corporate workstations, the technique is attractive for initial access and lateral movement scenarios.

No public proof-of-concept is listed in the enriched data, and the issue is not present on the CISA Known Exploited Vulnerabilities list. See the Foxit Security Bulletins for vendor technical details.

Detection Methods for CVE-2022-24955

Indicators of Compromise

  • Unsigned or unexpected DLL files located in directories alongside .pdf documents, particularly on removable media or shared folders.
  • FoxitPDFReader.exe or FoxitPDFEditor.exe loading modules from user-writable paths such as %USERPROFILE%\Downloads or %TEMP%.
  • Child processes spawned by Foxit binaries that perform reconnaissance commands (whoami, net, powershell).

Detection Strategies

  • Hunt for module-load events where the image path of the loaded DLL is outside %ProgramFiles%\Foxit Software while the parent process is a Foxit binary.
  • Compare the signing certificate of loaded modules against the expected Foxit publisher and flag mismatches.
  • Alert on Foxit processes opening files from network shares that also contain DLLs not signed by Foxit or Microsoft.

Monitoring Recommendations

  • Forward Sysmon Event ID 7 (Image Loaded) and Event ID 1 (Process Create) to a central SIEM and apply queries scoped to Foxit binaries.
  • Track Windows Defender Application Control or AppLocker block events that involve Foxit-launched DLLs.
  • Review endpoint telemetry for Foxit installations still reporting versions earlier than 11.2.1.

How to Mitigate CVE-2022-24955

Immediate Actions Required

  • Upgrade Foxit PDF Reader and Foxit PDF Editor to version 11.2.1 or later on all Windows endpoints.
  • Inventory deployed Foxit versions through software asset management and prioritize remediation for systems handling untrusted PDFs.
  • Restrict execution of unsigned DLLs through AppLocker or Windows Defender Application Control policies.

Patch Information

Foxit released fixed builds in version 11.2.1 of both PDF Reader and PDF Editor. Download details and release notes are available in the Foxit Security Bulletins. Administrators using enterprise deployment tooling should push the MSI update package and verify the version string after rollout.

Workarounds

  • Open PDFs only from trusted, write-protected directories until patching is complete.
  • Disable opening PDFs directly from removable media, network shares, or email attachments through Group Policy.
  • Configure Windows to enforce safe DLL search mode by setting the SafeDllSearchMode registry value to 1.
bash
# Configuration example: enable SafeDllSearchMode on Windows hosts
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.