CVE-2025-13941 is a local privilege escalation vulnerability classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) found in Foxit Software Inc.'s Foxit PDF Reader and Editor Update Service. The flaw occurs during the installation of plugins when the update service assigns overly permissive file system permissions to critical resources. These resources, which may include executables or scripts used by the update service, can be modified or replaced by a local attacker with low privileges. Because the update service later executes these resources with SYSTEM-level privileges, an attacker can achieve arbitrary code execution with full system control. The vulnerability affects multiple versions of Foxit PDF Reader, including versions 2025.2.1 and earlier, 14.0.1 and earlier, and 13.2.1 and earlier. The CVSS v3.1 base score is 8.8, reflecting a high severity due to the combination of local attack vector, low complexity, required privileges, and no user interaction. The scope is changed (S:C) because the vulnerability allows escalation from a local user to SYSTEM privileges, impacting confidentiality, integrity, and availability of the affected system. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is particularly dangerous in environments where multiple users share workstations or where attackers can gain initial low-level access, as it enables full system compromise.

For European organizations, this vulnerability poses a significant risk, especially in sectors such as government, finance, healthcare, and critical infrastructure where Foxit PDF Reader is commonly used for document handling. Successful exploitation allows attackers to escalate privileges from a low-privileged user to SYSTEM, potentially leading to full system compromise, data theft, unauthorized system changes, and disruption of services. This can result in breaches of sensitive personal data protected under GDPR, operational downtime, and reputational damage. Organizations with shared or multi-user environments, such as public institutions or enterprises with many local users, are particularly vulnerable. The lack of required user interaction lowers the barrier for exploitation once local access is obtained, increasing the threat level. Although no known exploits are currently in the wild, the high CVSS score and nature of the vulnerability suggest that attackers may develop exploits rapidly, especially in targeted attacks.

1. Apply security patches from Foxit Software immediately once they become available to address the incorrect permission assignments. 2. Until patches are released, restrict local user permissions to prevent modification of update service directories and files by implementing strict Access Control Lists (ACLs) on the file system. 3. Employ application whitelisting to prevent unauthorized executables or scripts from running with elevated privileges. 4. Monitor file integrity of the update service directories using host-based intrusion detection systems (HIDS) to detect unauthorized changes. 5. Limit local user accounts and enforce the principle of least privilege to reduce the risk of local exploitation. 6. Conduct regular audits of installed software versions and update to the latest secure versions. 7. Educate IT staff and users about the risks of local privilege escalation and the importance of reporting suspicious activity. 8. Consider deploying endpoint detection and response (EDR) solutions capable of detecting anomalous process execution indicative of exploitation attempts.