Platform
windows
Component
foxit-pdf-reader
Fixed in
2025.3.1
2025.3.1
14.0.3
CVE-2026-3780 describes a privilege escalation vulnerability affecting Foxit PDF Reader versions up to and including 2025.3. This flaw arises from the installer's reliance on untrusted search paths when resolving system executables and DLLs. A local attacker can exploit this by placing malicious binaries in user-writable directories, potentially leading to unauthorized code execution with elevated privileges.
The core of this vulnerability lies in the installer's behavior. When installing Foxit PDF Reader, the installer process runs with elevated privileges, necessary for system-level modifications. However, it searches for system files (executables and DLLs) using paths that include directories accessible to standard users. An attacker can leverage this by placing a malicious file with the same name as a legitimate system file within one of these user-writable directories. When the installer attempts to load or execute the system file, it inadvertently loads and executes the attacker's malicious binary instead, effectively gaining elevated privileges. This allows the attacker to perform actions they wouldn't normally be authorized to do, such as modifying system settings, installing malware, or accessing sensitive data. The blast radius is limited to the local machine, but the impact can be severe if the attacker gains control of the system.
CVE-2026-3780 is currently publicly disclosed. While no active exploitation campaigns have been definitively linked to this CVE as of the publication date, the ease of exploitation and the potential for privilege escalation make it a likely target for opportunistic attackers. It is not currently listed on CISA KEV. Public proof-of-concept code may emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3780 is to upgrade to a patched version of Foxit PDF Reader. Foxit has likely released a version that resolves the issue by implementing secure search paths for system executables and DLLs. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider restricting user write access to directories commonly searched by the installer. While not a complete solution, this can reduce the attack surface. Monitoring system events for suspicious process creation events, particularly those involving the Foxit PDF Reader installer, can also provide early detection of potential exploitation attempts. After upgrade, confirm by running the installer again and verifying that it loads legitimate system files from secure locations.
Update Foxit PDF Reader to a version later than 2025.3 or 14.0.2 to fix the vulnerability. Download the latest version from the official Foxit website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3780 is a vulnerability in Foxit PDF Reader versions up to 2025.3 that allows a local attacker to escalate privileges by placing malicious binaries in user-writable directories used by the installer.
You are affected if you are using Foxit PDF Reader version 2025.3 or earlier. Check your installed version and upgrade as soon as possible.
Upgrade to a patched version of Foxit PDF Reader. Check the official Foxit website for the latest version and installation instructions.
While no active exploitation campaigns have been definitively linked to this CVE, the potential for privilege escalation makes it a likely target for attackers.
Refer to the official Foxit security advisory on their website for detailed information and updates regarding CVE-2026-3780.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.