CVE-2024-30349: CWE-787: Out-of-bounds Write in Foxit PDF Reader
Foxit PDF Reader U3D File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22912.
AI Analysis
Technical Summary
CVE-2024-30349 is an out-of-bounds write vulnerability classified under CWE-787, affecting Foxit PDF Reader version 2023.3.0.23028. The vulnerability is located in the U3D file parsing component of the PDF reader. U3D (Universal 3D) files are embedded 3D content within PDFs. The flaw results from insufficient validation of user-supplied data during the parsing process, which allows an attacker to write data beyond the allocated buffer boundaries. This memory corruption can be exploited to execute arbitrary code remotely in the context of the current user. The attack vector requires user interaction, such as opening a maliciously crafted PDF file or visiting a webpage hosting such a file. The CVSS v3.0 score is 7.8, indicating high severity, with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No patches or public exploits have been reported at the time of publication, but the vulnerability was reserved and published by ZDI (Zero Day Initiative) as ZDI-CAN-22912. This vulnerability could allow attackers to bypass security controls and gain code execution capabilities, potentially leading to full system compromise depending on the privileges of the Foxit Reader process.
Potential Impact
The impact of CVE-2024-30349 is significant for organizations worldwide that use Foxit PDF Reader version 2023.3.0.23028. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary code with the privileges of the user running the PDF reader. This can result in data theft, installation of malware, lateral movement within networks, and disruption of services. Since PDF readers are commonly used in enterprise, government, and educational environments, the vulnerability poses a risk to sensitive information and operational continuity. The requirement for user interaction limits the attack vector but does not eliminate risk, as phishing campaigns and malicious document distribution remain common attack methods. The lack of known exploits in the wild currently reduces immediate risk but also means organizations should act proactively before exploitation becomes widespread. The vulnerability affects confidentiality, integrity, and availability, making it a critical concern for security teams.
Mitigation Recommendations
Organizations should immediately verify if they are running Foxit PDF Reader version 2023.3.0.23028 and prioritize upgrading to a patched version once available. In the absence of an official patch, organizations can mitigate risk by disabling or restricting the handling of U3D content within PDFs if the application settings allow. Employing endpoint protection solutions with behavior-based detection can help identify exploitation attempts. User education to avoid opening PDFs from untrusted sources is critical to reduce the risk of user interaction-based exploitation. Network-level defenses such as email filtering and web content scanning should be enhanced to detect and block malicious PDFs. Additionally, running Foxit Reader with the least privileges necessary and using application sandboxing or containment technologies can limit the impact of a successful exploit. Monitoring logs for unusual PDF processing behavior and maintaining up-to-date threat intelligence feeds will aid in early detection of exploitation attempts.
Affected Countries
United States, China, Germany, United Kingdom, France, Japan, South Korea, India, Canada, Australia
CVE-2024-30349: CWE-787: Out-of-bounds Write in Foxit PDF Reader
Description
Foxit PDF Reader U3D File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22912.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-30349 is an out-of-bounds write vulnerability classified under CWE-787, affecting Foxit PDF Reader version 2023.3.0.23028. The vulnerability is located in the U3D file parsing component of the PDF reader. U3D (Universal 3D) files are embedded 3D content within PDFs. The flaw results from insufficient validation of user-supplied data during the parsing process, which allows an attacker to write data beyond the allocated buffer boundaries. This memory corruption can be exploited to execute arbitrary code remotely in the context of the current user. The attack vector requires user interaction, such as opening a maliciously crafted PDF file or visiting a webpage hosting such a file. The CVSS v3.0 score is 7.8, indicating high severity, with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No patches or public exploits have been reported at the time of publication, but the vulnerability was reserved and published by ZDI (Zero Day Initiative) as ZDI-CAN-22912. This vulnerability could allow attackers to bypass security controls and gain code execution capabilities, potentially leading to full system compromise depending on the privileges of the Foxit Reader process.
Potential Impact
The impact of CVE-2024-30349 is significant for organizations worldwide that use Foxit PDF Reader version 2023.3.0.23028. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary code with the privileges of the user running the PDF reader. This can result in data theft, installation of malware, lateral movement within networks, and disruption of services. Since PDF readers are commonly used in enterprise, government, and educational environments, the vulnerability poses a risk to sensitive information and operational continuity. The requirement for user interaction limits the attack vector but does not eliminate risk, as phishing campaigns and malicious document distribution remain common attack methods. The lack of known exploits in the wild currently reduces immediate risk but also means organizations should act proactively before exploitation becomes widespread. The vulnerability affects confidentiality, integrity, and availability, making it a critical concern for security teams.
Mitigation Recommendations
Organizations should immediately verify if they are running Foxit PDF Reader version 2023.3.0.23028 and prioritize upgrading to a patched version once available. In the absence of an official patch, organizations can mitigate risk by disabling or restricting the handling of U3D content within PDFs if the application settings allow. Employing endpoint protection solutions with behavior-based detection can help identify exploitation attempts. User education to avoid opening PDFs from untrusted sources is critical to reduce the risk of user interaction-based exploitation. Network-level defenses such as email filtering and web content scanning should be enhanced to detect and block malicious PDFs. Additionally, running Foxit Reader with the least privileges necessary and using application sandboxing or containment technologies can limit the impact of a successful exploit. Monitoring logs for unusual PDF processing behavior and maintaining up-to-date threat intelligence feeds will aid in early detection of exploitation attempts.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- zdi
- Date Reserved
- 2024-03-26T18:52:36.413Z
- Cvss Version
- 3.0
- State
- PUBLISHED
Threat ID: 699f6dbfb7ef31ef0b58da3f
Added to database: 2/25/2026, 9:46:39 PM
Last enriched: 2/26/2026, 12:07:07 PM
Last updated: 4/11/2026, 11:22:38 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.