CVE-2025-59802 is a vulnerability in Foxit PDF Editor and Reader that allows attackers to spoof digital signatures by exploiting the handling of Optional Content Groups (OCG) within PDF documents. OCGs are layers or groups of content that can be selectively shown or hidden in a PDF. The vulnerability arises because the 'state' property of an OCG, which controls its visibility, is runtime-only and is not included in the digital signature's computation buffer. This means that after a PDF is signed, an attacker can use embedded JavaScript or PDF triggers to dynamically change which OCG content is visible without causing the digital signature to become invalid. Consequently, the visual representation of the signed document can be altered post-signing, leading to a mismatch between the signed content and what the signer or verifier actually sees. This undermines the fundamental trust model of digital signatures, which rely on the immutability of signed content. The flaw affects all Foxit PDF Editor and Reader versions before 2025.2.1, with fixes released in versions 2025.2.1, 14.0.1, and 13.2.1. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to document integrity and authenticity, particularly in environments where signed PDFs are used for contracts, legal documents, or compliance records. The attack vector requires the attacker to craft malicious PDFs that leverage JavaScript or PDF triggers to manipulate OCG visibility post-signing. This vulnerability does not require user interaction beyond opening the malicious PDF, and no authentication is needed to exploit it.

For European organizations, this vulnerability threatens the integrity and authenticity of digitally signed PDF documents, which are widely used in legal, financial, governmental, and regulatory contexts. The ability to alter the visible content of a signed PDF without invalidating the signature can lead to fraud, misinformation, and legal disputes. Organizations relying on Foxit PDF products for document signing and verification may unknowingly accept altered documents, undermining trust and compliance with regulations such as eIDAS, GDPR, and other digital signature frameworks. This can result in financial losses, reputational damage, and potential regulatory penalties. The vulnerability also complicates forensic investigations and audit trails, as the signed content no longer reliably represents what was originally approved. Given the widespread use of PDFs in Europe and the critical role of digital signatures in business and government processes, the impact is significant, especially for sectors like banking, legal services, public administration, and healthcare.

Organizations should immediately upgrade Foxit PDF Editor and Reader to versions 2025.2.1, 14.0.1, or 13.2.1 or later to remediate this vulnerability. Until patches are applied, users should avoid opening PDFs from untrusted sources or those received unexpectedly, especially if they contain JavaScript or dynamic content. Implement strict PDF handling policies that disable JavaScript execution within PDF readers where possible. Use alternative PDF viewers that do not exhibit this vulnerability for verifying signed documents. Enhance document verification processes by cross-checking signed content using cryptographic hash comparisons or out-of-band verification methods rather than relying solely on visual inspection. Train staff to recognize suspicious PDF behavior and to report anomalies in signed documents. For high-risk documents, consider using additional digital signature validation tools that verify the integrity of all PDF content layers, including OCG states. Maintain an inventory of Foxit product deployments to ensure timely patch management. Finally, monitor threat intelligence sources for any emerging exploits related to this vulnerability.