CVE-2025-9329 Overview
CVE-2025-9329 is an out-of-bounds read vulnerability [CWE-125] in Foxit PDF Reader and Foxit PDF Editor. The flaw resides in the parser that processes Product Representation Compact (PRC) file data embedded in PDF documents. Attackers can leverage the issue to execute arbitrary code in the context of the current process. Exploitation requires user interaction: the target must open a malicious file or visit a malicious page that serves crafted PRC content. The Zero Day Initiative tracks this issue as ZDI-CAN-26772 and published the advisory as ZDI-25-863.
Critical Impact
Successful exploitation yields arbitrary code execution at the privileges of the user running Foxit PDF Reader or Foxit PDF Editor.
Affected Products
- Foxit PDF Editor (through version 2025.1.0.27937 on Windows and 2025.1.0.66692 on macOS)
- Foxit PDF Reader on Microsoft Windows
- Foxit PDF Reader on Apple macOS
Discovery Timeline
- 2025-09-02 - CVE-2025-9329 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9329
Vulnerability Analysis
The vulnerability stems from inadequate validation of user-supplied data during PRC file parsing. PRC is a 3D file format that Foxit applications embed and render inside PDF documents. When the parser reads structured fields from an attacker-controlled PRC stream, it dereferences indices or sizes without confirming that the corresponding read remains inside the allocated buffer. The resulting out-of-bounds read [CWE-125] exposes adjacent heap memory to the parsing logic.
Attackers chain the disclosed memory with further memory corruption primitives to achieve arbitrary code execution in the renderer process. Because PRC handling executes automatically when a PDF containing a 3D annotation is opened, a single crafted document is sufficient to trigger the vulnerable code path.
Root Cause
The root cause is missing bounds enforcement on length and offset values inside the PRC stream. The parser trusts attacker-controlled descriptors and reads past the end of the allocated buffer. This breaks the memory safety invariant required for safe deserialization of structured binary input.
Attack Vector
The attack requires local access in the sense that the victim must open a malicious file, but delivery is typically remote through email attachments, drive-by downloads, or links to crafted PDFs. Once the document loads, Foxit invokes the PRC parser without further user prompts. Code executes with the privileges of the logged-on user, which is sufficient for credential theft, persistence, and lateral movement on most workstations.
No verified public proof-of-concept exists. Refer to the Zero Day Initiative Advisory ZDI-25-863 for additional technical context.
Detection Methods for CVE-2025-9329
Indicators of Compromise
- PDF files containing 3D annotations or embedded PRC streams arriving from untrusted senders or download sources.
- Unexpected child processes (such as command shells, powershell.exe, or cmd.exe) spawned by FoxitPDFReader.exe or FoxitPDFEditor.exe.
- Crashes or access violations in the Foxit process tied to PRC parsing modules, recorded in Windows Application Event logs.
Detection Strategies
- Inspect inbound email and web traffic for PDF documents that contain 3D content streams, and detonate suspicious samples in a sandbox.
- Monitor endpoint telemetry for anomalous code execution, memory allocation patterns, or shellcode markers originating from Foxit processes.
- Correlate Foxit process crashes with subsequent process creation events to surface exploitation attempts that succeed or fail.
Monitoring Recommendations
- Centralize Foxit application crash telemetry and alert on repeated faults in PRC-related modules.
- Track installed Foxit versions across the fleet and flag hosts still running builds at or below 2025.1.0.27937 (Windows) and 2025.1.0.66692 (macOS).
- Alert when Foxit processes write executable files to user-writable paths or initiate outbound network connections to uncategorized destinations.
How to Mitigate CVE-2025-9329
Immediate Actions Required
- Update Foxit PDF Reader and Foxit PDF Editor to the latest fixed versions published in the Foxit Security Bulletins.
- Block or quarantine inbound PDF attachments that contain 3D annotations until patching completes.
- Restrict the default PDF handler on high-risk endpoints to a hardened reader configuration without 3D rendering support.
Patch Information
Foxit has released fixed builds addressing CVE-2025-9329. Administrators should review the Foxit Security Bulletins and the Zero Day Initiative Advisory ZDI-25-863 for the exact patched version strings, then deploy through standard software distribution mechanisms.
Workarounds
- Disable 3D content rendering inside Foxit PDF Reader and Foxit PDF Editor preferences until the patch is applied.
- Enforce Protected View or sandboxed reading mode so untrusted PDFs cannot interact with the local system.
- Train users to avoid opening unsolicited PDF documents and to report suspicious attachments to the security team.
# Example: enumerate Foxit installations on Windows endpoints to confirm patch status
Get-WmiObject -Class Win32_Product |
Where-Object { $_.Vendor -like "*Foxit*" } |
Select-Object Name, Version, InstallDate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

