CVE-2024-25575: Foxit PDF Editor RCE Vulnerability

CVE-2024-25575 Overview

CVE-2024-25575 is a type confusion vulnerability [CWE-843] in Foxit Reader and Foxit PDF Editor version 2024.1.0.23997. The flaw resides in how the application handles a Lock object when processing JavaScript embedded in PDF documents. A crafted PDF containing malicious JavaScript triggers memory corruption that can lead to arbitrary code execution in the context of the current user.

Exploitation requires user interaction. An attacker must convince a target to open a malicious PDF or visit a crafted website while the Foxit browser plugin extension is enabled. The vulnerability affects Foxit deployments on both Microsoft Windows and Apple macOS.

Critical Impact

Successful exploitation enables arbitrary code execution on the victim host through a crafted PDF or browser-rendered document, compromising confidentiality, integrity, and availability.

Affected Products

• Foxit PDF Editor 2024.1.0.23997
• Foxit PDF Reader 2024.1.0.23997
• Foxit deployments on Microsoft Windows and Apple macOS

Discovery Timeline

• 2024-04-30 - CVE-2024-25575 published to the National Vulnerability Database (NVD)
• 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2024-25575

Vulnerability Analysis

The vulnerability is a type confusion condition mapped to [CWE-843], Access of Resource Using Incompatible Type. Foxit Reader exposes a JavaScript API that allows PDF documents to instantiate and manipulate internal application objects, including the Lock object. When the application processes JavaScript that interacts with a Lock instance, it treats the underlying memory as a different object type than what was actually allocated.

This mismatch corrupts internal state and pointer references inside the process. An attacker who controls the type assumption can pivot the corrupted memory into a controlled read, write, or call primitive. The end result is arbitrary code execution within the Foxit process, inheriting the privileges of the user running the application.

Root Cause

The root cause is missing or incorrect type validation when the JavaScript engine binds operations to the Lock object. The runtime accepts the object reference without confirming its actual type, allowing methods or property accesses to operate on memory of a different shape. The Talos advisory documents the affected code path and confirms the trigger originates from JavaScript embedded inside a PDF.

Attack Vector

The attack vector is network-based with required user interaction. Two delivery paths are documented:

1. The victim opens a malicious PDF file in Foxit PDF Reader or Foxit PDF Editor.
2. The victim visits a malicious website while the Foxit browser plugin extension is enabled, causing the document to render through the plugin.

Both paths execute the embedded JavaScript automatically once the document loads. Refer to the Talos Intelligence Vulnerability Report for the documented proof-of-concept conditions. No public exploit has been confirmed in the wild, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2024-25575

Indicators of Compromise

• PDF files containing JavaScript that instantiates the Lock object or invokes its methods in unusual sequences.
• Crashes or unexpected termination of FoxitPDFReader.exe or FoxitPDFEditor.exe shortly after opening a document.
• Child processes such as cmd.exe, powershell.exe, or rundll32.exe spawned by Foxit binaries.
• Outbound network connections initiated by Foxit processes to non-Foxit infrastructure following document open events.

Detection Strategies

• Inspect PDF documents at the email and web gateway for embedded JavaScript referencing Lock constructors and other scriptable internal objects.
• Hunt endpoint telemetry for parent-child process relationships where Foxit binaries spawn shell or scripting interpreters.
• Correlate Foxit application crash events in the Windows Application event log with concurrent document open activity.

Monitoring Recommendations

• Enable process creation auditing (Windows Event ID 4688 or Sysmon Event ID 1) on workstations running Foxit products.
• Monitor file write activity from Foxit processes into user-writable directories such as %APPDATA% and %TEMP%.
• Track installed Foxit versions across the fleet to identify hosts still running 2024.1.0.23997 or earlier.

How to Mitigate CVE-2024-25575

Immediate Actions Required

• Upgrade Foxit PDF Reader and Foxit PDF Editor to a version released after 2024.1.0.23997 that includes the fix referenced in the Talos advisory.
• Inventory all Windows and macOS endpoints to identify vulnerable Foxit installations.
• Disable the Foxit browser plugin extension on endpoints that cannot be patched immediately.
• Block inbound PDF attachments from untrusted senders at the email gateway pending remediation.

Patch Information

Foxit addressed the type confusion condition in releases following 2024.1.0.23997. Consult the Talos Intelligence Vulnerability Report TALOS-2024-1963 for the vendor-fixed build and apply updates through the Foxit auto-update mechanism or by deploying current installers from the vendor.

Workarounds

• Disable JavaScript execution inside Foxit PDF Reader and Foxit PDF Editor through Preferences > JavaScript until patching is complete.
• Remove or disable the Foxit browser plugin extension across managed browsers.
• Restrict the ability to open PDF files from untrusted sources using application allowlisting and attachment filtering policies.

# Example: disable Foxit JavaScript execution via Windows registry (per-user)
reg add "HKCU\Software\Foxit Software\Foxit PDF Reader\Preferences\JavaScript" /v bEnableJS /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Foxit Software\Foxit PDF Editor\Preferences\JavaScript" /v bEnableJS /t REG_DWORD /d 0 /f