CVE-2026-3780 is a vulnerability classified under CWE-426 (Untrusted Search Path) affecting Foxit Software Inc.'s Foxit PDF Reader, specifically versions 2025.3 and earlier. The core issue lies in the application's installer, which operates with elevated privileges but resolves system executables and DLLs using search paths that include user-writable directories. This insecure search path allows a local attacker with write access to place malicious binaries named identically to expected system files. When the installer executes or loads these binaries, it inadvertently runs attacker-controlled code with elevated privileges, resulting in local privilege escalation. The vulnerability requires local access and some user interaction (e.g., running the installer). The CVSS v3.1 score is 7.3 (high), reflecting the ease of exploitation with low attack complexity, the need for limited privileges, and user interaction, combined with high impact on confidentiality, integrity, and availability. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability is particularly dangerous because it leverages a common misconfiguration in search path handling, which can be overlooked during software development and deployment. Organizations relying on Foxit PDF Reader should be aware of this risk and prepare to mitigate it promptly.

The vulnerability allows a local attacker to escalate privileges from a limited user account to elevated system-level privileges by exploiting the untrusted search path in the Foxit PDF Reader installer. This can lead to full system compromise, including unauthorized access to sensitive data, modification or deletion of critical files, installation of persistent malware, and disruption of system availability. Because the installer runs with elevated privileges, successful exploitation bypasses normal user privilege restrictions, undermining system security controls. The impact extends to confidentiality, integrity, and availability, making it a critical concern for organizations that use Foxit PDF Reader, especially in environments where multiple users share systems or where endpoint security is paramount. Although exploitation requires local access and user interaction, the widespread use of Foxit PDF Reader in enterprise and government sectors increases the risk of targeted attacks. The absence of known exploits in the wild currently limits immediate threat but does not diminish the urgency for mitigation.

1. Apply official patches or updates from Foxit Software as soon as they become available to address the untrusted search path vulnerability. 2. Until patches are released, restrict write permissions on directories included in the installer's search path, especially user-writable directories, to prevent unauthorized file placement. 3. Use application whitelisting and endpoint protection solutions to monitor and block execution of unauthorized binaries in sensitive directories. 4. Educate users to avoid running installers or software with elevated privileges unless necessary and to verify the source and integrity of installation files. 5. Employ least privilege principles by limiting user permissions and avoiding unnecessary administrative rights on endpoints. 6. Conduct regular audits of system directories for unexpected or suspicious files that could indicate attempted exploitation. 7. Consider deploying host-based intrusion detection systems (HIDS) to alert on anomalous DLL or executable loading during installation processes. 8. Monitor security advisories from Foxit and cybersecurity communities for updates and exploit reports related to this vulnerability.