CVE-2024-9755: CWE-125: Out-of-bounds Read in Tungsten Automation Power PDF
CVE-2024-9755 is a high-severity out-of-bounds read vulnerability in Tungsten Automation Power PDF's JP2 file parser. It allows remote attackers to execute arbitrary code by tricking a user into opening a malicious JP2 file or visiting a malicious webpage. The flaw arises from improper validation of user-supplied data, leading to reading beyond allocated memory. Exploitation requires user interaction but no privileges or authentication. Successful exploitation compromises confidentiality, integrity, and availability by executing code in the context of the affected process. No known exploits are currently reported in the wild. Organizations using Power PDF version 5. 0. 0. 10.
AI Analysis
Technical Summary
CVE-2024-9755 is an out-of-bounds read vulnerability classified under CWE-125 affecting Tungsten Automation Power PDF, specifically in the JP2 (JPEG 2000) file parsing component. The vulnerability stems from insufficient validation of user-supplied data during JP2 file processing, which allows an attacker to read memory beyond the bounds of allocated objects. This memory corruption can be leveraged to execute arbitrary code remotely in the context of the current process. Exploitation requires user interaction, such as opening a crafted JP2 file or visiting a malicious webpage that triggers the vulnerable parser. The vulnerability does not require any privileges or authentication, increasing its risk profile. The CVSS v3.0 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity but requiring user interaction. No patches are currently listed, and no known exploits have been observed in the wild, but the vulnerability was responsibly disclosed and tracked as ZDI-CAN-24472. This flaw poses a significant risk to environments using the affected Power PDF version 5.0.0.10.0.23307, especially where untrusted files or web content are handled.
Potential Impact
The vulnerability enables remote code execution, allowing attackers to gain the same privileges as the user running Power PDF. This can lead to full system compromise, data theft, or disruption of services. Since the attack vector involves user interaction with malicious JP2 files or web content, organizations that frequently handle external PDF or image files are at heightened risk. The compromise of confidentiality, integrity, and availability can affect sensitive documents and workflows, potentially leading to intellectual property loss, regulatory non-compliance, and operational downtime. The lack of authentication requirement broadens the attack surface, making phishing or drive-by download attacks viable. Given the widespread use of PDF tools in corporate, government, and industrial sectors, the impact could be significant if exploited at scale.
Mitigation Recommendations
Organizations should immediately restrict or monitor the handling of JP2 files within Power PDF until a patch is released. Employ file type filtering and sandboxing to isolate PDF processing. Educate users to avoid opening suspicious files or links from untrusted sources. Implement network-level protections such as web filtering and email gateway scanning to block malicious content delivery. Utilize endpoint detection and response (EDR) tools to detect anomalous behaviors indicative of exploitation attempts. Coordinate with Tungsten Automation for timely patch deployment once available. Consider disabling JP2 file support if feasible or using alternative PDF readers with no known vulnerabilities in JP2 parsing. Regularly update threat intelligence feeds to stay informed of emerging exploits related to this vulnerability.
Affected Countries
United States, Canada, United Kingdom, Germany, France, Japan, South Korea, Australia, India, Brazil
CVE-2024-9755: CWE-125: Out-of-bounds Read in Tungsten Automation Power PDF
Description
CVE-2024-9755 is a high-severity out-of-bounds read vulnerability in Tungsten Automation Power PDF's JP2 file parser. It allows remote attackers to execute arbitrary code by tricking a user into opening a malicious JP2 file or visiting a malicious webpage. The flaw arises from improper validation of user-supplied data, leading to reading beyond allocated memory. Exploitation requires user interaction but no privileges or authentication. Successful exploitation compromises confidentiality, integrity, and availability by executing code in the context of the affected process. No known exploits are currently reported in the wild. Organizations using Power PDF version 5. 0. 0. 10.
AI-Powered Analysis
Technical Analysis
CVE-2024-9755 is an out-of-bounds read vulnerability classified under CWE-125 affecting Tungsten Automation Power PDF, specifically in the JP2 (JPEG 2000) file parsing component. The vulnerability stems from insufficient validation of user-supplied data during JP2 file processing, which allows an attacker to read memory beyond the bounds of allocated objects. This memory corruption can be leveraged to execute arbitrary code remotely in the context of the current process. Exploitation requires user interaction, such as opening a crafted JP2 file or visiting a malicious webpage that triggers the vulnerable parser. The vulnerability does not require any privileges or authentication, increasing its risk profile. The CVSS v3.0 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity but requiring user interaction. No patches are currently listed, and no known exploits have been observed in the wild, but the vulnerability was responsibly disclosed and tracked as ZDI-CAN-24472. This flaw poses a significant risk to environments using the affected Power PDF version 5.0.0.10.0.23307, especially where untrusted files or web content are handled.
Potential Impact
The vulnerability enables remote code execution, allowing attackers to gain the same privileges as the user running Power PDF. This can lead to full system compromise, data theft, or disruption of services. Since the attack vector involves user interaction with malicious JP2 files or web content, organizations that frequently handle external PDF or image files are at heightened risk. The compromise of confidentiality, integrity, and availability can affect sensitive documents and workflows, potentially leading to intellectual property loss, regulatory non-compliance, and operational downtime. The lack of authentication requirement broadens the attack surface, making phishing or drive-by download attacks viable. Given the widespread use of PDF tools in corporate, government, and industrial sectors, the impact could be significant if exploited at scale.
Mitigation Recommendations
Organizations should immediately restrict or monitor the handling of JP2 files within Power PDF until a patch is released. Employ file type filtering and sandboxing to isolate PDF processing. Educate users to avoid opening suspicious files or links from untrusted sources. Implement network-level protections such as web filtering and email gateway scanning to block malicious content delivery. Utilize endpoint detection and response (EDR) tools to detect anomalous behaviors indicative of exploitation attempts. Coordinate with Tungsten Automation for timely patch deployment once available. Consider disabling JP2 file support if feasible or using alternative PDF readers with no known vulnerabilities in JP2 parsing. Regularly update threat intelligence feeds to stay informed of emerging exploits related to this vulnerability.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- zdi
- Date Reserved
- 2024-10-09T19:43:56.773Z
- Cvss Version
- 3.0
- State
- PUBLISHED
Threat ID: 699f6b5eb7ef31ef0b554b64
Added to database: 2/25/2026, 9:36:30 PM
Last enriched: 2/25/2026, 11:40:03 PM
Last updated: 2/26/2026, 6:18:49 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25191: Uncontrolled Search Path Element in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-23703: Incorrect default permissions in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-1311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in bearsthemes Worry Proof Backup
HighCVE-2026-2506: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in motahar1 EM Cost Calculator
MediumCVE-2026-2499: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tgrk Custom Logo
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.