Skip to main content
CVE Vulnerability Database

CVE-2025-9326: Foxit PDF Editor RCE Vulnerability

CVE-2025-9326 is a remote code execution vulnerability in Foxit PDF Editor caused by improper PRC file parsing. Attackers can exploit this flaw to execute arbitrary code. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-9326 Overview

CVE-2025-9326 is an out-of-bounds read vulnerability [CWE-125] in Foxit PDF Reader and Foxit PDF Editor. The flaw exists in the parsing logic for Product Representation Compact (PRC) files embedded within PDF documents. Attackers can leverage this issue to execute arbitrary code in the context of the current process after a user opens a crafted file or visits a malicious page. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-26784 and tracked publicly as ZDI-25-866. Foxit products on both Microsoft Windows and Apple macOS are affected.

Critical Impact

Successful exploitation allows arbitrary code execution under the privileges of the user running Foxit PDF Reader or Editor, enabling full local compromise of the user account.

Affected Products

  • Foxit PDF Reader (Windows and macOS)
  • Foxit PDF Editor versions up to and including 2025.1.0.27937 and 2025.1.0.66692
  • Microsoft Windows and Apple macOS host platforms

Discovery Timeline

  • 2025-09-02 - CVE-2025-9326 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9326

Vulnerability Analysis

The vulnerability resides in the PRC file parser used by Foxit PDF Reader and Foxit PDF Editor. PRC is a 3D file format that can be embedded within PDF documents to represent compact 3D geometry and product manufacturing information. The parser fails to properly validate user-supplied length or index fields before reading from an allocated buffer. As a result, the application reads past the end of the buffer when processing crafted PRC content.

An out-of-bounds read in a complex binary parser typically leaks adjacent heap memory into program state. Attackers can combine this leak with the predictable parser flow to corrupt control data or hijack indirect calls, achieving arbitrary code execution in the renderer process. The issue requires user interaction: the target must open a malicious PDF or browse to a page that delivers one through the browser plugin.

Root Cause

The root cause is missing bounds validation on attacker-controlled fields within the PRC stream [CWE-125]. The parser trusts length or offset values supplied by the file and dereferences pointers beyond the allocation boundary. Foxit's PRC parsing component does not enforce size constraints derived from the actual allocated buffer.

Attack Vector

Exploitation requires local file delivery and user interaction. An attacker crafts a PDF containing a malicious PRC stream and delivers it via email attachment, drive-by download, or web page using the Foxit browser plugin. When the victim opens the document, the parser triggers the out-of-bounds read and the attacker gains code execution in the context of the current user.

The vulnerability manifests in Foxit's PRC stream parser when it processes
attacker-controlled length or index fields without validating them against
the allocated buffer size. No verified public proof-of-concept code is
available. See the Zero Day Initiative advisory ZDI-25-866 for additional
technical context.

Detection Methods for CVE-2025-9326

Indicators of Compromise

  • PDF documents containing embedded PRC (3D) streams originating from untrusted email senders or unknown web sources
  • Unexpected child processes spawned by FoxitPDFReader.exe or FoxitPDFEditor.exe, including command shells, scripting hosts, or rundll32.exe
  • Crash dumps or Windows Error Reporting events referencing the Foxit PRC parsing modules
  • Outbound network connections initiated by Foxit processes to unfamiliar domains shortly after a document is opened

Detection Strategies

  • Hunt for process lineage where Foxit reader or editor binaries spawn interpreters such as powershell.exe, cmd.exe, wscript.exe, or cscript.exe
  • Inspect PDFs at the email gateway for embedded /3D annotations and PRC subtype streams from external senders
  • Correlate Foxit application crashes with subsequent suspicious file writes in user profile directories

Monitoring Recommendations

  • Enable detailed process creation logging (Windows Event ID 4688 with command line, or Sysmon Event ID 1) on endpoints running Foxit products
  • Monitor file integrity for the Foxit installation directory to detect unauthorized binary modifications
  • Alert on memory access violations or exception events generated by Foxit processes

How to Mitigate CVE-2025-9326

Immediate Actions Required

  • Update Foxit PDF Reader and Foxit PDF Editor to the latest available version as published in the Foxit Security Bulletins
  • Disable the Foxit browser plugin and any automatic preview integrations until the patch is deployed across the fleet
  • Restrict PDF attachments from untrusted external senders at the mail gateway and quarantine documents containing embedded 3D content

Patch Information

Foxit has published fixes through the vendor security advisory page. Administrators should consult the Foxit Security Bulletins and the Zero Day Initiative Advisory ZDI-25-866 to confirm the fixed build numbers for Windows and macOS releases, then deploy through standard software distribution channels.

Workarounds

  • Configure Foxit preferences to disable 3D content rendering and PRC parsing where the feature is not required for business workflows
  • Open PDFs from untrusted sources in a sandboxed environment or a non-privileged virtual machine
  • Enforce attack surface reduction rules that block child process creation from PDF reader applications
bash
# Example: block child process creation from Foxit on Windows via AppLocker
# Create a deny rule for processes spawned by Foxit binaries
New-AppLockerPolicy -RuleType Path -User Everyone `
  -Path "%ProgramFiles%\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe" `
  -Action Deny -RuleNamePrefix "Block-Foxit-ChildProcs"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.