www.belgium.be Logo of the federal government

Warning: Multiple vulnerabilities in Foxit PDF Reader and Editor products can lead to Remote Code Execution

Advisory #2023-91
Geïmpacteerde software: 
Foxit PDF Editor (previously named Foxit PhantomPDF) versions and all previous 12.x versions, and all previous 11.x versions, and earlier
Foxit PDF Reader (previously named Foxit Reader) versions and earlier
Foxit PDF Editor for Mac (previously named Foxit PhantomPDF Mac) versions and all previous 12.x versions, and earlier
Foxit PDF Reader for Mac (previously named Foxit Reader Mac) versions and earlier
Remote Code Execution (RCE)

CVE-2023-28744: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVE-2023-32664: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)






Most vulnerabilities fixed in the updates can lead to Remote Code Execution, which causes total impact in the confidentiality, integrity and availability of the vulnerable system. Attack complexity is low and there are no privileges required. Additionally, Talos has published proof-of-concept code for some of the vulnerabilities.

At the moment of writing there is no sign of the vulnerabilities being exploited in the wild. Nonetheless, malicious PDF documents are often used by attackers during phishing or social engineering attacks to execute malicious code on the victim's computer. This makes these vulnerabilities highly likely to be exploited in the future.


Foxit released security updates for Foxit PDF Editor and Foxit PDF Editor for the platforms Windows and MacOS. The updates fix several vulnerabilities that can lead to Remote Code Execution. A small  number of them are described below.



CVE-2023-28744 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader. A specially crafted PDF document can be send to a victim, who by opening it, can trigger the reuse of previously freed memory that can lead to memory corruption and arbitrary code execution. The vulnerability can also be exploited if the victim visits a malicious website and has the PDF plugin extension enabled in the browser.



CVE-2023-32664 is a type confusion vulnerability in the JavaScript checkThisBox method as implemented in Foxit PDF Reader. A specially crafted JavaScript code inside a malicious PDF document can cause memory corruption and lead to Remote Code Execution. User interaction is required.

Aanbevolen acties

The Centre for Cybersecurity Belgium strongly recommends to update the affected software as soon as possible.

  • For Foxit PDF Editor and Reader, update to version 12.1.3.
  • For Foxit PDF Editor and Reader for Mac, update to version 12.1.1