CVE-2025-13941 is a local privilege escalation vulnerability classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) found in Foxit Software Inc.'s Foxit PDF Reader and Editor Update Service. The vulnerability stems from improper file system permissions assigned to resources used by the update service during plugin installation. Specifically, these resources—likely executable files or scripts—are accessible and modifiable by low-privileged local users. Because the update service later executes these resources with SYSTEM-level privileges, an attacker with local access can replace or modify them to execute arbitrary code with the highest system privileges. This can lead to full system compromise, including unauthorized access to sensitive data, system integrity violations, and potential denial of service. The vulnerability affects multiple versions of Foxit PDF Reader, including versions 2025.2.1 and earlier, 14.0.1 and earlier, and 13.2.1 and earlier. The CVSS v3.1 score is 8.8, indicating high severity, with an attack vector of local access, low complexity, requiring low privileges, no user interaction, and a scope change due to SYSTEM-level code execution. Although no known exploits have been reported in the wild, the vulnerability presents a significant risk due to the widespread use of Foxit PDF Reader in enterprise environments. The lack of patches at the time of publication necessitates immediate attention to mitigate risk.

For European organizations, this vulnerability poses a serious threat to endpoint security, particularly for those relying on Foxit PDF Reader for document handling. Successful exploitation allows attackers to escalate privileges from a low-privileged user to SYSTEM level, potentially leading to full system compromise. This can result in unauthorized access to confidential information, disruption of business operations, and the ability to deploy further malware or ransomware. Organizations in sectors such as finance, government, healthcare, and critical infrastructure are especially at risk due to the sensitivity of their data and the potential impact of system compromise. The vulnerability's local attack vector means that insider threats or attackers who have gained initial footholds through other means could leverage this flaw to deepen their control over affected systems. The high severity and scope change amplify the risk, making timely mitigation critical to prevent lateral movement and privilege escalation within corporate networks.

1. Apply official patches from Foxit Software immediately once they become available to correct the file permission assignments in the update service. 2. Until patches are released, manually audit and restrict file system permissions on the update service's plugin installation directories and executable resources to prevent modification by non-administrative users. 3. Implement strict endpoint security controls, including application whitelisting and integrity monitoring, to detect unauthorized changes to update service files. 4. Limit local user privileges wherever possible to reduce the risk of exploitation by low-privileged users. 5. Monitor system logs and security alerts for suspicious activities related to the Foxit update service or unexpected privilege escalations. 6. Educate IT and security teams about this vulnerability to ensure rapid response and remediation. 7. Consider deploying host-based intrusion prevention systems (HIPS) that can block unauthorized code execution attempts at the SYSTEM level. 8. Review and harden overall endpoint security posture, including restricting software installation rights and enforcing least privilege principles.