16 Zero-Day Flaws in Foxit and Apryse PDFs Enable One-Click Attacks and Account Takeovers

Multiple Zero-Day Flaws in PDF Platforms Enable XSS and One-Click Attacks

A recent study from Novee Security has uncovered 16 zero-day vulnerabilities in two major PDF platforms—Foxit and Apryse—that could allow attackers to take over accounts or execute commands on backend servers. The research highlights how modern PDF systems have evolved into complex “application stacks” that hackers can exploit as gateways into private networks.

Zero-Day Vulnerabilities in PDF Tools

The team identified 13 distinct categories of vulnerabilities, ranging from critical cross-site scripting (XSS) flaws to OS command injection. These are not minor bugs; attackers could exploit them without needing access to the browser or operating system.

Key vulnerabilities include:

• CVE-2025-70402 & CVE-2025-70400 – Flaws in Apryse WebViewer that allow malicious code execution via remote configuration files.
• CVE-2025-70401 – Scripts hidden in the “Author” field of a PDF comment can steal login credentials with minimal interaction.
• CVE-2025-66500 – Foxit web plugins can be tricked into running harmful scripts through fake messages.

Some of these issues enable one-click attacks, where simply opening a PDF or clicking a link triggers the exploit, giving attackers control over the system.

AI-Assisted Vulnerability Hunting

Finding security flaws in complex code is a huge challenge. To speed the process, Novee Security used a human-agent AI approach:

1. Researchers manually identified patterns indicative of vulnerabilities, called the “scent” of a bug.
2. These patterns were fed to an AI swarm, which autonomously scanned the code and explored attack surfaces far faster than humans could.

This approach helped discover critical issues, including a severe flaw in the Foxit signature server, which handles digital signatures for legal documents. The AI swarm’s testing showed that a simple request could execute injected commands, giving attackers full control over affected systems.

Why PDF Files Are Riskier Than They Seem

Modern PDF platforms now function like advanced web applications, using iframes, server-side rendering, and dynamic scripts. However, many organizations still treat PDFs as low-risk files. This mismatch creates “trust boundary” failures, where software trusts data that should be verified, opening doors for attacks.

Novee Security emphasized that this is a shared responsibility: while developers must secure their platforms, organizations should also treat PDFs with the same caution as web apps and implement strict content validation.

Responsible Disclosure

Novee Security worked closely with Foxit and Apryse before going public. Official CVE numbers have been assigned, and both vendors are actively patching the vulnerabilities. Users and organizations are advised to apply updates promptly and remain cautious when handling PDFs from untrusted sources.