Foxit PDF: Updates close highly risky security vulnerabilities
Updates for Foxit PDF Editor and Reader for macOS and Windows close security vulnerabilities. Attackers can inject malicious code as a result.
(Image: heise online)
The developers of Foxit PDF have released new versions of the editor and reader for both macOS and Windows. They close a large number of security vulnerabilities, some of which narrowly miss the “critical” risk rating.
On the Foxit website with security bulletins, the developers announce the updated software packages. One of the most serious vulnerabilities affects the Windows version if it was installed from the Microsoft Store. Attackers with low privileges can inject code into the installer because “msiexec.exe” is called from the current path instead of from the trusted system path (CVE-2025-57779, CVSS 8.8, risk “high”). In the updater for the Windows version (without the restriction to the MS Store reference), local attackers can also escalate their privileges to “SYSTEM” because incorrect file system permissions are assigned for resources used by the updater during plug-in installation (CVE-2025-13941, CVSS 8.8, risk “high”).
Further security vulnerabilities in all versions
The Mac versions are also impacted by further “use-after-free” vulnerabilities. Attackers can exploit these to inject malicious code with manipulated PDF files – betCVE-2025-58085, CVE-2025-59488, CVE-2025-66493, CVE-2025-66494 and CVE-2025-66495 all receive a risk rating of “high” with a CVSS score of 7.8. Here, the program code accesses resources that have already been released and therefore have undefined content. A heap-based buffer overflow can also occur when processing JBIG2 data in PDFs, allowing injected code to be executed (CVE-2025-66499, CVSS 7.8, risk “high”). Three further vulnerabilities (CVE-2025-66496, CVE-2025-66497 and CVE-2025-66498) are rated by the developers as only a “medium” risk with a CVSS score of 5.3.
The vulnerabilities are fixed by the now available versions Foxit PDF Reader 2025.3 and PDF Editor 2025.3, 14.0.2 and 13.2.2 for macOS and Windows. Affected users can download them from the download page at Foxit. Locally, the update can be searched for and applied by clicking on “Help” – “About Foxit PDF [Editor|Reader]” – “Check for Updates”.
Videos by heise
Most recently, Foxit closed security vulnerabilities in its PDF programs with software updates in August. At that time, too, some vulnerabilities were considered “high” risk. Among other things, they allowed attackers to inject and execute malicious code.
(dmk)
