CVE-2024-12753 is a local privilege escalation vulnerability identified in Foxit PDF Reader version 2024.2.3.25184, linked to improper link resolution before file access (CWE-59) within the product installer. The vulnerability allows an attacker who already has the ability to execute code with low privileges on the target system to escalate their privileges to SYSTEM level. The core issue stems from the installer process improperly handling symbolic links or junctions. By creating a malicious junction, an attacker can manipulate the installer to write or create arbitrary files in locations that normally require elevated privileges. This improper link following enables the attacker to execute arbitrary code with SYSTEM privileges, effectively compromising the entire system's security. Exploitation requires local access, the ability to run low-privileged code, and some user interaction, such as triggering the installer. The vulnerability was assigned CVE-2024-12753 and was published on December 30, 2024, with a CVSS v3.0 base score of 6.7, reflecting medium severity. No public exploits or widespread attacks have been reported yet, but the flaw poses a significant risk if combined with other attack vectors that grant initial code execution.

The primary impact of CVE-2024-12753 is the potential for local attackers to escalate privileges from a low-privileged user context to SYSTEM level on affected Windows systems running the vulnerable Foxit PDF Reader installer. This escalation can lead to full system compromise, allowing attackers to install persistent malware, disable security controls, access sensitive data, or move laterally within a network. Organizations relying on Foxit PDF Reader in environments where users have local access are at risk, especially in enterprise or shared workstation settings. The vulnerability could be leveraged in multi-stage attacks where initial foothold is gained through phishing or other means, then privilege escalation is used to deepen control. Although no known exploits are currently active in the wild, the medium severity rating and SYSTEM-level impact warrant prompt attention to prevent potential exploitation. The scope is limited to systems with the specific vulnerable version installed and requires local code execution, reducing remote attack risk but still significant in insider threat or compromised endpoint scenarios.

To mitigate CVE-2024-12753, organizations should first verify if they are running Foxit PDF Reader version 2024.2.3.25184 or other affected versions and apply any available patches or updates from Foxit as soon as they are released. In the absence of an official patch, restrict local user permissions to prevent unauthorized code execution and limit the ability to create junctions or symbolic links in sensitive directories. Employ application whitelisting and endpoint protection solutions to detect and block suspicious installer behaviors or unauthorized file system manipulations. Monitor system logs for unusual installer activity or attempts to create junctions. Educate users to avoid running untrusted installers or executables and enforce the principle of least privilege to reduce the risk of initial low-privileged code execution. Additionally, consider isolating systems running Foxit PDF Reader in high-risk environments and use endpoint detection and response (EDR) tools to identify potential exploitation attempts. Regularly audit installed software versions and maintain an asset inventory to quickly identify vulnerable installations.