CVE-2023-35985 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting Foxit Reader version 12.1.3.15356. The issue arises from the Javascript exportDataObject API failing to properly validate file extensions, allowing an attacker to craft malicious files that can create arbitrary files anywhere on the victim’s system. This arbitrary file creation can be leveraged to execute malicious code, compromising system integrity and confidentiality. The attack vector requires user interaction: either opening a malicious PDF file or visiting a malicious website if the Foxit Reader browser plugin is enabled. The vulnerability is remotely exploitable over the network without privileges but requires user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:R). The impact is severe, affecting confidentiality, integrity, and availability, with a CVSS score of 8.8. No patches were linked in the provided data, and no known exploits are reported in the wild, but the risk remains significant due to the potential for arbitrary code execution. The vulnerability highlights the risks of insufficient input validation in document processing software and the dangers of browser plugins that extend PDF reader functionality.

European organizations using Foxit Reader 12.1.3.15356 face significant risks from this vulnerability. Successful exploitation can lead to arbitrary code execution, enabling attackers to install malware, steal sensitive data, or disrupt operations. This is particularly critical for sectors handling sensitive or regulated data such as finance, healthcare, and government institutions. The requirement for user interaction means phishing or social engineering campaigns could be effective attack vectors. The presence of a browser plugin increases the attack surface, potentially allowing drive-by attacks via malicious websites. The impact extends to confidentiality breaches, data integrity loss, and system availability disruptions, which could result in regulatory penalties under GDPR if personal data is compromised. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed rapidly given the detailed vulnerability disclosure.

Organizations should immediately verify if Foxit Reader version 12.1.3.15356 is in use and prioritize upgrading to a patched version once available. Until patches are released, disable the Foxit Reader browser plugin to reduce exposure to drive-by attacks. Implement strict email filtering and user awareness training to reduce the risk of opening malicious PDF files. Employ endpoint protection solutions capable of detecting suspicious file creation and execution behaviors. Restrict user permissions to prevent unauthorized file creation in sensitive directories. Monitor network traffic and logs for unusual activity related to Foxit Reader processes. Consider application whitelisting to prevent execution of unauthorized code. Coordinate with IT and security teams to ensure rapid incident response capability in case of exploitation attempts. Regularly review and update security policies related to document handling and browser plugin usage.