CVE-2024-30337 in Foxit
Summary
by MITRE • 04/03/2024
Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Acroforms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22704.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/07/2025
The CVE-2024-30337 vulnerability represents a critical use-after-free flaw in Foxit PDF Reader that enables remote code execution through AcroForm processing. This vulnerability resides in the software's handling of interactive form elements within PDF documents, specifically when processing Acroform data structures. The flaw stems from inadequate input validation mechanisms that fail to verify object existence before executing operations on them, creating a dangerous condition where memory previously freed by the application can be accessed and manipulated by malicious actors. This type of vulnerability falls under CWE-416, which categorizes use-after-free conditions as a serious memory safety issue that can lead to arbitrary code execution. The vulnerability is particularly concerning because it can be exploited remotely without requiring local system access, making it a significant threat vector for attackers targeting users of Foxit PDF Reader.
The technical exploitation of this vulnerability requires an attacker to craft a malicious PDF document containing specially constructed Acroform elements that trigger the flawed memory management behavior. When a user opens such a document with Foxit PDF Reader, the application processes the Acroform data without proper validation, leading to a situation where freed memory chunks are accessed and overwritten. This memory corruption can be leveraged to inject and execute malicious code within the context of the PDF reader process, potentially allowing attackers to gain full control over the affected system. The vulnerability's remote exploitability means that attackers can deliver malicious payloads through web pages, email attachments, or other delivery mechanisms without requiring physical access to the target system. This characteristic aligns with ATT&CK technique T1203, which covers exploitation for execution through remote access methods.
The operational impact of this vulnerability extends beyond simple code execution to encompass complete system compromise and potential data exfiltration. Since Foxit PDF Reader is widely deployed across enterprise environments and personal computing devices, a successful exploitation can affect numerous targets simultaneously. The vulnerability's requirement for user interaction through visiting malicious web pages or opening compromised files makes it particularly dangerous in phishing campaigns or compromised websites. Organizations that rely heavily on PDF document processing are at significant risk, as the attack surface includes not only direct user interactions but also automated systems that process PDF documents. The vulnerability's classification as a remote code execution flaw means that attackers can potentially establish persistent access, escalate privileges, and move laterally within networks. Security professionals should note that this vulnerability represents a classic example of how interactive PDF features can become attack vectors when proper memory management and input validation are not implemented. The use of ZDI-CAN-22704 as a reference identifier indicates this vulnerability was recognized and tracked by the Zero Day Initiative, emphasizing its significance in the cybersecurity community and the need for immediate remediation efforts across affected deployments.