Cisco Talos Discloses Critical Vulnerabilities in Foxit PDF Editor, Epic Games Store, and MedDream PACS

CyberDefender 8 mins0

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed multiple security vulnerabilities affecting consumer and enterprise software, including Foxit PDF Editor, the Epic Games Store, and MedDream PACS. The findings include local privilege escalation flaws, memory corruption vulnerabilities leading to arbitrary code execution, and widespread reflected cross-site scripting (XSS) issues.

All vulnerabilities were disclosed in accordance with **Cisco Talos’ third-party vulnerability disclosure policy and have been patched by their respective vendors. Updated detection coverage is available through Snort, and detailed advisories are published on the Talos Intelligence website.

Foxit PDF Editor Vulnerabilities: Privilege Escalation and Memory Corruption

Discovered by KPC of Cisco Talos

Foxit PDF Editor and Foxit Reader are widely deployed in enterprise and consumer environments, making them attractive targets for attackers. Talos identified three vulnerabilities spanning installer logic and PDF JavaScript processing.

Privilege Escalation via Microsoft Store Installation

TALOS-2025-2275 (CVE-2025-57779)

This vulnerability exists in the Microsoft Store installation workflow for Foxit PDF Editor. During installation, Foxit performs file operations in directories that can be manipulated by a low-privileged local user.

Technical impact:

  • An attacker can race or replace files during installation
  • Malicious binaries or configuration files can be written before privilege boundaries are enforced
  • When the installer continues execution, attacker-controlled files may be executed with elevated privileges

Attack requirements:

  • Local access with low privileges
  • Ability to trigger or wait for an installation or update via Microsoft Store

This flaw enables local privilege escalation (LPE) and can be chained with other vulnerabilities to achieve full system compromise.

Use-After-Free Vulnerabilities in PDF JavaScript Handling

TALOS-2025-2277 (CVE-2025-58085)
TALOS-2025-2278 (CVE-2025-59488)

These vulnerabilities stem from improper lifecycle management of PDF form field objects inside Foxit Reader’s JavaScript engine.

  • One flaw affects Barcode field objects
  • The other affects Text Widget field objects

Technical details:

  • Specially crafted JavaScript embedded in a malicious PDF can:
    • Free an internal object
    • Retain a dangling pointer to the freed memory
    • Later dereference that pointer, resulting in use-after-free
  • Successful exploitation allows attackers to control heap memory layout, leading to memory corruption
  • With sufficient heap grooming, this can result in arbitrary code execution

Exploitation vectors:

  • User opens a malicious PDF file
  • User visits a malicious webpage if the Foxit browser plugin is enabled

These vulnerabilities are particularly dangerous because PDFs are commonly exchanged via email and collaboration platforms, making them effective for phishing and targeted attacks.

Epic Games Store Local Privilege Escalation via DLL Hijacking

Discovered by KPC of Cisco Talos

Epic Games Store is a Windows application distributed through the Microsoft Store. Talos identified a privilege escalation issue during installation.

DLL Replacement Vulnerability

TALOS-2025-2279 (CVE-2025-61973)

This vulnerability arises from insecure DLL loading behavior during the Microsoft Store installation process.

Technical details:

  • A low-privileged attacker can place a malicious DLL in a location searched by the installer
  • The installer loads the attacker-controlled DLL without validating its integrity
  • The DLL executes in the context of the installer, which runs with elevated privileges

Impact:

  • Local privilege escalation
  • Potential persistence if combined with scheduled tasks or services
  • Useful as a post-exploitation primitive after initial access

MedDream PACS: Extensive Reflected XSS Attack Surface

Discovered by Marcin “Icewall” Noga of Cisco Talos

MedDream PACS is a web-based medical imaging platform used in clinical environments to manage DICOM 3.0-compliant images. Talos identified 21 reflected XSS vulnerabilities in MedDream PACS Premium version 7.3.6.870.

Root Cause Analysis

Across multiple endpoints, MedDream PACS:

  • Fails to properly sanitize user-supplied input
  • Reflects attacker-controlled parameters directly into HTML responses
  • Does not consistently apply output encoding or Content Security Policy (CSP)

Technical Impact

An attacker can:

  • Craft a malicious URL containing embedded JavaScript
  • Trick an authenticated user into clicking the link
  • Execute arbitrary JavaScript in the context of the MedDream PACS application

This enables:

  • Session hijacking
  • Credential theft
  • Unauthorized PACS actions
  • Potential access to sensitive medical data

Affected Functionalities

The vulnerabilities affect administrative, configuration, and workflow endpoints, including autoPurge, user management, HL7 configuration, routing, reporting, and LDAP integration. The breadth of affected functionality significantly increases the attack surface, especially in healthcare environments where PACS systems are often accessible on internal networks.

(All CVEs and TALOS IDs listed below correspond to distinct vulnerable endpoints and parameters.)

(List retained as provided for reference and tracking)

Detection, Mitigation, and Defense

Cisco Talos has released Snort signatures capable of detecting exploitation attempts targeting these vulnerabilities, including:

  • Malicious PDF structures and JavaScript patterns
  • Suspicious installer behaviors
  • Reflected XSS payloads in HTTP requests

Recommendations:

  • Apply vendor patches immediately
  • Restrict installation privileges on Windows endpoints
  • Disable unused browser plugins
  • Harden PACS web servers with input validation and CSP
  • Monitor for abnormal PDF behavior and suspicious URLs

CyberDefender