CVE-2023-27363 Overview
CVE-2023-27363 is a remote code execution vulnerability affecting Foxit PDF Reader and Foxit PDF Editor on Microsoft Windows. The vulnerability exists in the exportXFAData method, which exposes a dangerous JavaScript interface that allows attackers to write arbitrary files to the target system. Remote attackers can leverage this flaw to execute arbitrary code on affected installations when a user visits a malicious webpage or opens a specially crafted PDF file.
Critical Impact
This vulnerability allows complete compromise of the affected system with the privileges of the current user. Attackers can leverage the exposed exportXFAData method to write and execute arbitrary files, potentially leading to malware installation, data theft, or lateral movement within enterprise networks.
Affected Products
- Foxit PDF Reader (Windows)
- Foxit PDF Editor (Windows)
- Microsoft Windows (as the affected platform)
Discovery Timeline
- 2024-05-03 - CVE-2023-27363 published to NVD
- 2025-08-11 - Last updated in NVD database
Technical Details for CVE-2023-27363
Vulnerability Analysis
The vulnerability resides in the implementation of the exportXFAData method within Foxit PDF Reader and PDF Editor. This method is part of the application's JavaScript API and was designed to handle XFA (XML Forms Architecture) data export functionality. However, the implementation exposes a dangerous capability that allows writing arbitrary files to the filesystem without proper validation or security constraints.
XFA forms are dynamic forms that can contain scripts and interact with the underlying application through JavaScript APIs. The exportXFAData method, when invoked through a malicious PDF document, can be abused to write files to arbitrary locations on the system. By crafting a malicious PDF that calls this method with attacker-controlled parameters, an adversary can drop executable files or scripts to locations that enable code execution, such as startup folders or scheduled task directories.
This vulnerability is classified under CWE-749 (Exposed Dangerous Method or Function), indicating that the application exposes a method that performs dangerous operations without adequate access controls or input validation.
Root Cause
The root cause of CVE-2023-27363 is the exposure of the exportXFAData JavaScript interface without proper security restrictions. The method allows writing files to arbitrary filesystem locations, which should have been restricted or sandboxed. The lack of path validation, destination restrictions, and user confirmation dialogs allows attackers to weaponize this functionality for arbitrary file write operations that lead to code execution.
Attack Vector
Exploitation requires user interaction—the victim must either visit a malicious webpage that embeds a crafted PDF or directly open a malicious PDF file. The attack flow typically follows this pattern:
The attacker crafts a malicious PDF document containing JavaScript code that invokes the exportXFAData method with carefully chosen parameters. When the victim opens this PDF in Foxit PDF Reader or PDF Editor, the embedded JavaScript executes and triggers the file write operation. The attacker can write an executable file or script to a location that enables automatic execution, such as the Windows Startup folder or a location within the PATH environment.
Once the malicious file is written, code execution can occur immediately (if writing to a location like a browser download handler) or upon next system login (if targeting startup locations). The attacker's code then executes with the same privileges as the user who opened the malicious PDF.
Detection Methods for CVE-2023-27363
Indicators of Compromise
- Unexpected file creation events in sensitive directories (Startup folder, scheduled tasks, user profile directories) originating from FoxitReader.exe or FoxitPDFEditor.exe processes
- PDF files containing JavaScript calls to exportXFAData method with path traversal sequences or absolute paths to sensitive directories
- Suspicious child process spawning from Foxit PDF Reader or Editor processes, particularly command interpreters like cmd.exe or powershell.exe
- Registry modifications or new scheduled tasks created shortly after PDF document access
Detection Strategies
- Monitor process creation events where FoxitReader.exe or FoxitPDFEditor.exe are parent processes, especially for shell interpreters or unexpected executables
- Implement file integrity monitoring on startup folders and other auto-run locations to detect unauthorized file writes
- Deploy content inspection rules to identify PDF documents containing calls to exportXFAData with suspicious parameters
- Use behavior-based endpoint detection to identify abnormal file write patterns from PDF viewer applications
Monitoring Recommendations
- Enable detailed file system auditing on Windows endpoints to capture file creation events from Foxit applications
- Configure SIEM rules to correlate PDF document opens with subsequent suspicious file writes or process executions
- Implement network-level inspection to detect and block malicious PDF files at the perimeter before they reach end users
- Establish baseline behavior for Foxit applications and alert on deviations such as unexpected network connections or file operations
How to Mitigate CVE-2023-27363
Immediate Actions Required
- Update Foxit PDF Reader and Foxit PDF Editor to the latest patched versions available from Foxit
- Review and audit systems for signs of exploitation, particularly checking startup folders and auto-run locations for unexpected files
- Consider temporarily disabling JavaScript execution in Foxit PDF Reader/Editor through application settings until patches are applied
- Educate users about the risks of opening PDF documents from untrusted sources
Patch Information
Foxit has released security updates to address this vulnerability. Administrators should consult the Foxit Security Bulletins for the latest patch information and affected version details. The vulnerability was tracked by the Zero Day Initiative as ZDI-CAN-19697 and published as ZDI-23-491.
Organizations should prioritize patching all instances of Foxit PDF Reader and PDF Editor across their environment, focusing first on systems with internet-facing exposure or users who frequently handle external documents.
Workarounds
- Disable JavaScript execution in Foxit PDF Reader/Editor by navigating to File → Preferences → JavaScript and unchecking "Enable JavaScript Actions"
- Configure application whitelisting to prevent unauthorized executables from running from common drop locations like Startup folders
- Implement email gateway filtering to quarantine or strip potentially malicious PDF attachments before delivery
- Use alternative PDF viewers that are not affected by this vulnerability for opening untrusted documents
# Registry setting to disable JavaScript in Foxit Reader (Windows)
# Run as Administrator
reg add "HKEY_CURRENT_USER\Software\Foxit Software\Foxit Reader\Preferences\Global" /v "bEnableJS" /t REG_DWORD /d 0 /f
# For Foxit PDF Editor
reg add "HKEY_CURRENT_USER\Software\Foxit Software\Foxit PhantomPDF\Preferences\Global" /v "bEnableJS" /t REG_DWORD /d 0 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
