Talos Vulnerability Report

TALOS-2025-2275

Foxit PDF Editor Installation Uncontrolled Search Path Privilege Escalation Vulnerability

December 19, 2025

CVE Number

CVE-2025-57779

SUMMARY

A privilege escalation vulnerability exists during the installation of Foxit PDF Editor via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in unintended elevation of privileges.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit PDF Editor 2025.2.0.33046

PRODUCT URLS

Foxit PDF Editor - https://www.foxit.com/pdf-editor/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-427 - Uncontrolled Search Path Element

DETAILS

Foxit PDF Editor is a lightweight and easy-to-use program for working with PDF files. It allows opening, reading, and editing PDFs. Text, images, and comments can be added, as well as highlighting or marking up important information in a PDF. It can also combine multiple files into one PDF, split a large PDF into smaller parts, and protect documents with passwords. Foxit PDF Editor is an all-in-one PDF solution built for business.

Foxit PDF Editor is vulnerable to a privilege escalation issue when installed via the Microsoft Store application. When a user attempts to install Foxit PDF Editor, the following events occur in the background:

WindowsPackageManagerServer.exe downloads and runs FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe.

 8:06:52.1846888 AM	WindowsPackageManagerServer.exe	5084	CreateFile	C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a	NAME NOT FOUND	Medium

 [..]
 8:09:18.9276165 AM	WindowsPackageManagerServer.exe	5084	SetRenameInformationFile	C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\bcf4a9a5fb30716b9fedee7afd36e062b7eb50ec02bf0239d41717fae12f4627	ReplaceIfExists: True, FileName: C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe	SUCCESS	Medium

FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe exits if launched with Medium Integrity privileges.

WindowsPackageManagerServer.exe attempts to launch the executable as a High Integrity process. Once permission is granted, the new FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe process runs with High Integrity privileges.

  8:09:54.0428068 AM	WindowsPackageManagerServer.exe	5084	Process Create	C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe	PID: 6644, Command line: "C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe" /quiet	SUCCESS	Medium
  8:09:54.0429218 AM	FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe	6644	Process Start		Parent PID: 5084, Command line: "C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe" /quiet, Current directory: C:\Windows\system32\, Environment: [...]
  8:09:54.0429389 AM	FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe	6644	Thread Create		Thread ID: 8308	SUCCESS	High

This elevated process runs msiexec.exe with High Integrity to complete the installation of the application.

  8:10:11.3724098 AM	FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe	6644	CreateFile	C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\msiexec.exe	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a	NAME NOT FOUND	High

The vulnerability exists because the executable image search is not restricted to trusted paths. In this case %TEMP%\WinGet\<Random>.<Version> is writable by a standard user. An attacker with user privileges can exploit this by placing a malicious file named msiexec.exe in that folder. When the installer attempts to run msiexec.exe, it will execute the attacker-controlled file instead, with High Integrity privilege.

8:52:07.9945181 AM	C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\msiexec.exe	msiexec.exe	9876	Process Start		SUCCESS	Parent PID: 7652, Command line: msiexec /i "C:\ProgramData\Package Cache\{CA7B7BF5-754E-11F0-B87B-54BF64A63C26}v2025.2.0.33046\Setup.msi" /qn /norestart  ASSTBALL_SHOW=1 DESKTOP_SHORTCUT=1 WIN8TILE=1 EXE_INSTALL=1 PACKAGENAMEUID="FoxitPDFEditor20252_L10N_Setup_MSStore_x64.exe" NO_CACHE_PACKAGE=1, Current directory: C:\Windows\system32\, Environment: [..]

8:52:07.9945319 AM	C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\msiexec.exe	msiexec.exe	9876	Thread Create		SUCCESS	Thread ID: 3888	High

8:52:08.0198070 AM	C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\msiexec.exe	msiexec.exe	9876	Load Image	C:\Users\dev\AppData\Local\Temp\WinGet\XPDNZD76FP5JR7.2025.2.0.33046\msiexec.exe	SUCCESS	Image Base: 0x7ff625c30000, Image Size: 0x2b000	High

In this case, the exploit registers a service that escalates privileges from High Integrity to System.

TIMELINE

2025-09-23 - Vendor Disclosure
2025-12-19 - Vendor Patch Release
2025-12-19 - Public Release

Credit

Discovered by KPC of Cisco Talos.

TALOS-2025-2277

TALOS-2025-2214

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company