Foxit PDF Reader, PhantomPDF Open to Remote Code Execution

Foxit Reader and PhantomPDF are plagued by several high-severity flaws that, if exploited, could enable remote code execution.

Foxit Software has released patches for dozens of high-severity flaws impacting its PDF reader and editor platforms. The most severe of the bugs, which exist on Windows versions of the software, enable a remote attacker to execute arbitrary code on vulnerable systems.

Overall, Foxit Software patched flaws tied to 20 CVEs in Foxit Reader and Foxit PhantomPDF (versions and earlier) for Windows. Foxit Reader is popular PDF software – with a user base of over 500 million for its free version – that provides tools for creating, signing and securing PDF files. PhantomPDF, meanwhile, enables users to convert different file formats to PDF. In addition to millions users for its branded software, major corporations as Amazon, Google,and Microsoft license Foxit Software technology, opening up its threat landscape even more.

“There are several bugs that could result in remote code execution [RCE],” Dustin Childs, manager at Trend Micro’s Zero Day Initiative (ZDI), told Threatpost. “All of these should be considered critical.”

Foxit Reader Flaws

The high-severity flaws in Foxit Reader enable RCE; they are fixed in Foxit Reader version 9.7.2. In an attack scenario for these flaws, “user interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,” according to a Trend Micro ZDI vulnerability analysis.

Included are vulnerabilities (CVE-2020-10899, CVE-2020-10907) within the processing of XFA templates, a template embedded in PDFs that allows for fillable fields. The issues both result from the lack of validating the existence of an object prior to performing operations on that object. An attacker can leverage both flaws to execute code in the context of the current process. Researchers also found an RCE flaw (CVE-2020-10900) in the way AcroForms are processed. AcroForms are PDF files that contain form fields. Thebug exists because the AcroForms do not validate an object’s existence prior to performing operations on that object.

Finally, a flaw (CVE-2020-10906) was addressed in the resetForm method within Foxit Reader PDFs. The issue here is that there’s no check for an object prior to performing operations on the object, opening the process up to an RCE attack.


PhantomPDF also patched several high-severity flaws, which impact versions and earlier; users are urged to update to PhantomPDF version 9.7.2. Childs said the most severe of these are two flaws in PhantomPDF’s API communication (CVE-2020-10890 and CVE-2020-10892). PhantomPDF API calls are necessary for creating PDFs from other document types. These flaws stem from the handling of the ConvertToPDF command and the CombineFiles command, which allow an arbitrary file write with attacker controlled data.

“CVE-2020-10890 and CVE-2020-10892 stand out as they are relatively easy to exploit,” Childs told Threatpost. “They are very straightforward and don’t require massaging or spraying memory to be successful.”

Two other high-severity flaws (CVE-2020-10912, CVE-2020-10912) stem from the handling of the SetFieldValue command, which are set by the API calls. A lack of proper validation of user-supplied data for these commands results in a type confusion condition – and ultimately arbitrary code execution. For all high-severity flaws above, an attacker can execute code in the context of the current process – but user interaction is required in that the target must visit a malicious page or open a malicious file.

3D Plugin

Flaws tied to 11 CVEs were also patched in the beta version of the U3DBrowser Plugin ( and earlier), a Foxit Reader and PhantomPDF plugin that allows viewing embedded 3D annotations in PDF files. The U3DBrowser Plugin flaws specifically stem from the handling of U3D objects in PDF files. Universal 3D (U3D) is a compressed file format standard for 3D computer graphics data, which can be inserted into PDF files.

Two flaws (CVE-2020-10896) stem from a lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. A similar flaw (CVE-2020-10893) stemming from lack of proper validation of user-supplied data can result in a write past the end of an allocated structure. Other flaws (CVE-2020-10895, CVE-2020-10902, CVE-2020-10904, CVE-2020-10898) result from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure.

To address these issues, Foxit released 3D Plugin Beta for Foxit Reader and PhantomPDF.

These are only the latest flaws to be discovered Foxit Software products. In October 2019, Foxit Software issued patches for eight high-severity flaws impacting Foxit Reader, and in October 2018 over 100 vulnerabilities were fixed.

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.


Suggested articles