Skip to main content
CVE Vulnerability Database

CVE-2025-9328: Foxit PDF Editor RCE Vulnerability

CVE-2025-9328 is a remote code execution vulnerability in Foxit PDF Editor caused by improper validation when parsing PRC files. Attackers can exploit this flaw to execute arbitrary code. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-9328 Overview

CVE-2025-9328 is an out-of-bounds read vulnerability [CWE-125] in Foxit PDF Reader and Foxit PDF Editor. The flaw resides in the parser responsible for handling PRC (Product Representation Compact) files embedded within PDF documents. An attacker who convinces a user to open a crafted PDF or visit a malicious page can execute arbitrary code in the context of the current process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26773 and published as ZDI-25-864.

Critical Impact

Successful exploitation grants arbitrary code execution under the privileges of the user running Foxit PDF Reader or Editor, enabling malware delivery, credential theft, or follow-on lateral movement.

Affected Products

  • Foxit PDF Reader (through version 2025.1.0.27937)
  • Foxit PDF Editor (through version 2025.1.0.66692)
  • Microsoft Windows and Apple macOS installations of the above products

Discovery Timeline

  • 2025-09-02 - CVE-2025-9328 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9328

Vulnerability Analysis

The vulnerability is an out-of-bounds read [CWE-125] in the PRC file parser. PRC is a 3D content format that Foxit PDF Reader processes when it encounters embedded 3D annotations or assemblies inside a PDF. The parser fails to properly validate user-supplied length or offset fields, allowing read operations past the boundary of an allocated buffer.

Reading beyond the buffer leaks adjacent heap memory and, depending on memory layout, corrupts control data interpreted by subsequent parsing routines. The Zero Day Initiative confirms that an attacker can chain this primitive to achieve arbitrary code execution within the Foxit process. Exploitation requires user interaction, such as opening a malicious PDF or visiting a page that triggers the browser plugin.

Root Cause

The root cause is missing bounds validation on fields parsed from untrusted PRC structures. The parser trusts attacker-controlled size or index values without confirming they remain within the allocated buffer, producing a deterministic out-of-bounds read that an attacker can shape into a code execution primitive.

Attack Vector

An attacker delivers a weaponized PDF containing a malformed PRC stream through email, file share, or web download. When the victim opens the file or previews a page rendering the embedded 3D content, the vulnerable parser is invoked. Refer to the Zero Day Initiative Advisory ZDI-25-864 for additional technical context.

Detection Methods for CVE-2025-9328

Indicators of Compromise

  • PDF files containing unusually large or malformed PRC streams referenced from /3D annotations or RichMedia objects.
  • Unexpected child processes spawning from FoxitPDFReader.exe or FoxitPDFEditor.exe, including cmd.exe, powershell.exe, or scripting hosts.
  • Crashes or access violations logged for the Foxit process referencing the PRC parsing module.

Detection Strategies

  • Inspect inbound PDFs at the email gateway for embedded 3D/PRC content and flag samples originating from untrusted senders.
  • Apply EDR behavioral rules that alert on Foxit processes creating new processes, writing executables, or making outbound network connections after opening a document.
  • Hunt for image loads of Foxit 3D parsing DLLs followed by exception or process-termination events on the same host.

Monitoring Recommendations

  • Forward Foxit application crash telemetry and Windows Error Reporting events to your SIEM for correlation.
  • Monitor file-write activity from Foxit processes into user AppData, Temp, or Startup directories.
  • Track endpoint inventory for outdated Foxit PDF Reader and Editor builds and prioritize patch deployment.

How to Mitigate CVE-2025-9328

Immediate Actions Required

  • Update Foxit PDF Reader and Foxit PDF Editor to the latest versions released after 2025.1.0.27937 and 2025.1.0.66692 respectively, per the Foxit Security Bulletins.
  • Restrict opening PDFs received from untrusted sources until patches are deployed across the environment.
  • Validate endpoint protection coverage and confirm scanning of PDF attachments at the mail gateway.

Patch Information

Foxit has published fixes through the Foxit Security Bulletins portal. Administrators should review the bulletin referencing ZDI-25-864 and deploy the corresponding updated builds of PDF Reader and PDF Editor on both Windows and macOS endpoints.

Workarounds

  • Disable 3D content rendering in Foxit preferences to prevent the PRC parser from processing untrusted streams.
  • Configure Foxit Safe Reading Mode to limit execution of embedded content from untrusted PDFs.
  • Use application allowlisting to block the launch of scripting interpreters as child processes of Foxit applications.
bash
# Configuration example: disable 3D content in Foxit on Windows via registry
reg add "HKCU\Software\Foxit Software\Foxit PDF Reader\Preferences\3D" /v "bEnable3D" /t REG_DWORD /d 0 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.