CVE-2024-7723: Foxit PDF Editor RCE Vulnerability

CVE-2024-7723 Overview

CVE-2024-7723 is a use-after-free vulnerability [CWE-416] in Foxit PDF Reader and Foxit PDF Editor that enables remote code execution. The flaw exists in the handling of AcroForms, where the application fails to validate the existence of an object before performing operations on it. Remote attackers can exploit this issue by convincing a user to open a crafted PDF file or visit a malicious page hosting one. Successful exploitation results in arbitrary code execution in the context of the current process. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-23736 and disclosed in advisory ZDI-24-1125.

Critical Impact

Remote attackers can execute arbitrary code on Windows systems running vulnerable Foxit PDF Reader or Foxit PDF Editor when a user opens a malicious PDF document.

Affected Products

• Foxit PDF Reader (Windows)
• Foxit PDF Editor (Windows)
• Versions prior to the fix referenced in the Foxit Security Bulletins

Discovery Timeline

• 2024-08-21 - CVE-2024-7723 published to the National Vulnerability Database (NVD)
• 2024-10-18 - Last updated in NVD database
• Advisory - Reported via the Zero Day Initiative as ZDI-CAN-23736 and published as Zero Day Initiative Advisory ZDI-24-1125

Technical Details for CVE-2024-7723

Vulnerability Analysis

The vulnerability is a use-after-free condition triggered during AcroForm processing in Foxit PDF Reader and Foxit PDF Editor. AcroForms are interactive form elements embedded in PDF documents, and they often rely on JavaScript event handlers and object references. When the application performs operations on an AcroForm object that has already been freed, the resulting dangling pointer can be reused by attacker-controlled data. This allows an attacker to corrupt program state and ultimately redirect execution flow within the rendering process.

Exploitation requires user interaction. The target must open a crafted PDF file or browse to a page that delivers one through the Foxit browser plugin. Because the attack vector is network-reachable and authentication is not required, weaponized documents distributed through email, drive-by downloads, or shared file repositories present a realistic delivery path.

Root Cause

The root cause is the absence of an object-existence check before the application accesses an AcroForm-related object. Lifetime management of these objects is not enforced across script-driven manipulation, so an object can be released while a reference is retained. Subsequent dereferences operate on freed memory, fulfilling the conditions for a classic use-after-free [CWE-416].

Attack Vector

An attacker crafts a PDF document containing AcroForm structures and JavaScript that drives the application into freeing a referenced object and then re-using it. When the victim opens the file, the application accesses the dangling reference and the attacker controls the data backing the freed allocation. From there, conventional exploitation techniques such as heap grooming and control of virtual function table pointers can convert the memory corruption into arbitrary code execution within the Foxit process.

No public proof-of-concept code has been released. Technical details are documented in the Zero Day Initiative Advisory ZDI-24-1125.

Detection Methods for CVE-2024-7723

Indicators of Compromise

• Unexpected child processes spawned by FoxitPDFReader.exe or FoxitPDFEditor.exe, such as cmd.exe, powershell.exe, or rundll32.exe
• Foxit processes making outbound network connections shortly after opening a PDF
• Crashes or exception logs in Foxit binaries referencing AcroForm or JavaScript handlers
• PDF files containing heavily obfuscated JavaScript that manipulates AcroForm fields and triggers object destruction

Detection Strategies

• Monitor process lineage for Foxit applications and alert on script interpreters or LOLBins spawned as children
• Inspect inbound PDF attachments at the mail gateway for JavaScript and AcroForm anomalies
• Apply EDR behavioral rules that flag memory-protection changes (VirtualProtect to RWX) inside Foxit processes

Monitoring Recommendations

• Forward Foxit application crash and Windows Error Reporting events to your SIEM for triage
• Track installed Foxit versions across the estate and alert on hosts running builds prior to the patched release listed in the Foxit Security Bulletins
• Correlate document-open telemetry with subsequent network egress to identify post-exploitation beaconing

How to Mitigate CVE-2024-7723

Immediate Actions Required

• Update Foxit PDF Reader and Foxit PDF Editor to the patched versions referenced in the Foxit Security Bulletins
• Disable JavaScript execution within Foxit PDF Reader and Foxit PDF Editor until patches are deployed
• Block or quarantine PDF attachments from untrusted external senders at the mail gateway
• Remove the Foxit browser plugin on systems where in-browser PDF rendering is not required

Patch Information

Foxit has published fixed versions of PDF Reader and PDF Editor for Windows. Refer to the Foxit Security Bulletins and Zero Day Initiative Advisory ZDI-24-1125 for the specific build numbers that resolve CVE-2024-7723. Apply the vendor update across all Windows endpoints running affected installations.

Workarounds

• Disable JavaScript in Foxit preferences under File > Preferences > JavaScript by clearing Enable JavaScript Actions
• Enable Safe Reading Mode in Foxit preferences to restrict execution of script and external content from untrusted documents
• Open untrusted PDFs in a sandboxed viewer or browser-isolated environment until patches are applied

# Configuration example: disable Foxit JavaScript via registry on Windows
reg add "HKCU\Software\Foxit Software\Foxit PDF Reader\Preferences\JavaScript" /v bEnableJS /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Foxit Software\Foxit PDF Editor\Preferences\JavaScript" /v bEnableJS /t REG_DWORD /d 0 /f