CVE-2025-9330 is a local privilege escalation vulnerability identified in the Foxit PDF Reader Update Service, specifically affecting version 2025.1.0.27937. The vulnerability arises from an uncontrolled search path element (CWE-427), where the update service loads a library from an insecure or untrusted location. This flaw allows a local attacker who already has the ability to execute low-privileged code on the target system to escalate their privileges to SYSTEM level. The vulnerability does not require user interaction but does require local access with some level of code execution capability. The attacker can place a malicious library in the search path, which the update service will load, thereby executing arbitrary code with elevated privileges. This can lead to full system compromise, including the ability to modify system files, install persistent malware, or disable security controls. The CVSS v3.0 score is 7.8, indicating a high severity with high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and could be targeted by attackers seeking to elevate privileges on systems running the affected Foxit Reader version.

For European organizations, this vulnerability poses a significant risk, especially in environments where Foxit PDF Reader is widely deployed on workstations or servers. Successful exploitation could allow attackers to gain SYSTEM-level privileges, bypassing local security controls and potentially moving laterally within networks. This is particularly concerning for sectors with sensitive data such as finance, healthcare, government, and critical infrastructure. The ability to escalate privileges locally can facilitate ransomware deployment, data exfiltration, or sabotage of IT systems. Given that many European organizations use Foxit Reader as an alternative to Adobe Reader, the attack surface is non-trivial. Additionally, organizations with strict regulatory requirements under GDPR could face compliance issues if this vulnerability leads to data breaches or unauthorized access.

Organizations should immediately verify if they are running the affected Foxit PDF Reader version 2025.1.0.27937 and prioritize upgrading to a patched version once available. Until a patch is released, mitigate risk by restricting local user permissions to prevent unauthorized code execution, especially in directories included in the update service's search path. Implement application whitelisting to prevent loading of unauthorized DLLs or libraries. Employ endpoint detection and response (EDR) solutions to monitor for suspicious local privilege escalation attempts. Additionally, review and harden the update service configuration to ensure it does not load libraries from insecure locations such as user-writable directories. Network segmentation and least privilege principles should be enforced to limit the impact of a compromised workstation. Regularly audit installed software versions and maintain an inventory of applications to quickly identify vulnerable instances.