CVE-2024-12753 is a local privilege escalation vulnerability identified in Foxit PDF Reader version 2024.2.3.25184. The root cause is improper link resolution before file access (CWE-59), specifically within the product installer. The vulnerability allows an attacker who already has the ability to execute low-privileged code on the target system to abuse the installer process by creating a junction (a type of symbolic link on Windows). This junction tricks the installer into creating or modifying arbitrary files in locations that the attacker controls or that require elevated privileges. By leveraging this flaw, the attacker can escalate their privileges to SYSTEM level, enabling execution of arbitrary code with the highest system privileges. The attack vector is local, requiring the attacker to have some initial foothold with limited privileges and to perform user interaction. The CVSS 3.0 base score is 6.7, reflecting medium severity due to the complexity and preconditions required. No public exploits have been reported yet, but the vulnerability was assigned ZDI-CAN-25408 and published on December 30, 2024. This vulnerability poses a significant risk in environments where Foxit PDF Reader is installed and users have the ability to run low-privileged code, as it can lead to full system compromise.

The primary impact of CVE-2024-12753 is local privilege escalation, allowing an attacker with limited access to gain SYSTEM-level privileges on affected Windows systems running Foxit PDF Reader 2024.2.3.25184. This can lead to complete system compromise, including installation of persistent malware, disabling security controls, and unauthorized access to sensitive data. Organizations relying on Foxit PDF Reader in enterprise environments may face increased risk of insider threats or post-exploitation lateral movement if attackers leverage this vulnerability. The requirement for local code execution and user interaction limits remote exploitation but does not eliminate risk in environments with shared workstations or where attackers can deliver low-privileged code via phishing or other means. The vulnerability could be particularly impactful in sectors with high-value targets such as government, finance, and critical infrastructure, where privilege escalation can facilitate broader attacks.

To mitigate CVE-2024-12753, organizations should: 1) Immediately update Foxit PDF Reader to a patched version once available from the vendor, as no patch links are currently provided but should be prioritized upon release. 2) Restrict local user permissions to the minimum necessary to reduce the ability to execute arbitrary low-privileged code. 3) Implement application whitelisting to prevent unauthorized execution of untrusted binaries or scripts that could be used to exploit this vulnerability. 4) Monitor and audit file system changes, especially creation of junction points or symbolic links in directories related to Foxit PDF Reader installation or updates. 5) Employ endpoint detection and response (EDR) solutions to detect suspicious installer behavior or privilege escalation attempts. 6) Educate users to avoid running untrusted code and to report unusual installer prompts or behaviors. 7) Consider restricting or isolating Foxit PDF Reader usage on critical systems until a patch is applied.