SB2025081367 - Multiple vulnerabilities in Foxit PDF Reader and PDF Editor for Windows 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025081367

SB2025081367 - Multiple vulnerabilities in Foxit PDF Reader and PDF Editor for Windows

Published: August 13, 2025

Security Bulletin ID SB2025081367
Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 64% Medium 9% Low 27%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Out-of-bounds read (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote attacker can trick the victim into opening PRC or JP2 files, trigger an out-of-bounds read error and read contents of memory on the system.


2) Missing Initialization of a Variable (CVE-ID: CVE-2025-32451)

The vulnerability allows a remote attacker to crash the application.

The vulnerability exists due to missing variable initialization. A remote attacker can trick the victim into opening a specially crafted PDF file and crash the application. 


3) Buffer overflow (CVE-ID: CVE-2025-55307)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing PDF files. A remote attacker can create a specially crafted PDF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


4) Buffer overflow (CVE-ID: CVE-2025-55308)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing PDF files. A remote attacker can create a specially crafted PDF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


5) Buffer overflow (CVE-ID: CVE-2025-55309)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing PDF files. A remote attacker can create a specially crafted PDF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


6) Buffer overflow (CVE-ID: CVE-2025-55312)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing PDF files. A remote attacker can create a specially crafted PDF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


7) Buffer overflow (CVE-ID: CVE-2025-55313)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing PDF files. A remote attacker can create a specially crafted PDF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


8) Buffer overflow (CVE-ID: CVE-2025-55314)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing PDF files. A remote attacker can create a specially crafted PDF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


9) Download of code without integrity check (CVE-ID: CVE-2025-55310)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to software does not perform software integrity check when downloading updates. A local user can place a malicious file on the system and the application will load it without performing an integrity check, leading to code execution. 


10) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2025-55311)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper certificate verification  when handling certain signed documents that contain JavaScripts. A remote attacker can trick the victim into opening a specially crafted document and spoof its content. 


11) Insecure DLL loading (CVE-ID: N/A)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the application loads DLL libraries in an insecure manner. A remote attacker can place a specially crafted .dll file on a remote SMB fileshare, trick the victim into opening a file, associated with the vulnerable application, and execute arbitrary code on victim's system.


Remediation

Install update from vendor's website.

References