Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The application's installer runs with elevated privileges but resolves system executables and DLLs using untrusted search paths that can include user-writable directories, allowing a local attacker to place malicious binaries with the same names and have them loaded or executed instead of the legitimate system files, resulting in local privilege escalation.
AnalysisAI
Installer privilege escalation in Foxit PDF Reader and Foxit PDF Editor allows local authenticated users to execute arbitrary code with elevated system privileges via DLL search path manipulation. The installer's failure to use absolute paths for system executables enables attackers to plant malicious DLLs in user-writable directories that take precedence during installation, exploiting the trusted installer's elevated permissions. EPSS data not available; no public exploit identified at time of analysis; not listed in CISA KEV.
Technical ContextAI
This vulnerability stems from CWE-426 (Untrusted Search Path), a class of weaknesses where applications fail to properly specify the full path to executables or libraries they load. During installation, Foxit PDF products run with elevated Windows privileges (typically SYSTEM or Administrator) but rely on the operating system's default DLL search order, which checks user-writable directories like the current working directory or user-specific temp folders before system directories. An attacker with standard user privileges can pre-position a malicious DLL with a name matching a system library the installer will load (such as version.dll, dwmapi.dll, or other commonly hijacked libraries). When the installer executes, Windows loads the attacker's DLL instead of the legitimate system file, causing that code to execute with the installer's elevated privileges. The affected products per CPE data are Foxit PDF Reader (cpe:2.3:a:foxit_software_inc.:foxit_pdf_reader) and Foxit PDF Editor (cpe:2.3:a:foxit_software_inc.:foxit_pdf_editor), both widely deployed PDF manipulation tools in enterprise and consumer environments. This vulnerability class is particularly dangerous in Windows environments where installers routinely require administrative privileges and DLL search order behavior is well-documented and exploitable.
RemediationAI
Organizations should immediately consult the official Foxit security bulletin at https://www.foxit.com/support/security-bulletins.html to identify patched versions and obtain updated installers that implement secure DLL loading practices, such as using absolute paths or calling SetDllDirectory/SetDefaultDllDirectories Windows APIs to restrict search paths. Specific patched version numbers are not provided in available data, requiring direct verification from the vendor advisory. As an interim mitigation, restrict installer execution to administrators on dedicated clean systems, ensure installation directories and parent folders have appropriate permissions preventing standard users from writing files, and deploy Foxit products via enterprise management tools that control the installation environment rather than allowing end-users to run installers directly. Consider implementing Windows Defender Application Control or AppLocker policies to prevent execution of unsigned DLLs from user-writable directories during installation processes. Organizations should prioritize upgrading to patched versions once identified in the vendor bulletin, as workarounds provide only partial risk reduction against determined local attackers.
More in Foxit Pdf Reader
View allUse-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor lets a crafted PDF containing JavaScript trigg
Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1/14.0.4 and earlier) allows
Denial-of-service (and potential memory-corruption) in Foxit PDF Editor (≤14.0.4 / ≤13.2.4 / ≤2026.1.1) and Foxit PDF Re
Denial-of-service in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1 and earlier) occurs when a victim opens a
Memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1, 13.2.4, 14.0.4 and earlier) allows attack
Memory corruption in Foxit PDF Reader and Foxit PDF Editor allows a crafted PDF to trigger a use-after-free through the
Use-after-free memory corruption in Foxit PDF Reader (2026.1.1 and earlier) and Foxit PDF Editor (through 14.0.4, 13.2.4
Memory corruption in Foxit PDF Reader (≤2026.1.1) and Foxit PDF Editor (≤14.0.4, ≤13.2.4, and ≤2026.1.1) allows an attac
Memory-corruption (buffer overflow) in Foxit PDF Reader and Foxit PDF Editor arises when the digital-signature plugin pr
Memory-corruption crash (and potential code execution) in Foxit PDF Reader and Foxit PDF Editor occurs when a PDF's embe
Use-after-free memory corruption in Foxit PDF Editor and Foxit PDF Reader allows a crafted PDF to crash the application
Denial of service in Foxit PDF Editor and Foxit PDF Reader arises when the application renders a PDF containing cloud-st
Same weakness CWE-426 – Untrusted Search Path
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17761