CVE-2026-3780
Published: 01 April 2026
Summary
CVE-2026-3780 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Foxit (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires digital signature verification of software components prior to installation or loading, directly preventing the elevated installer from executing malicious binaries substituted in untrusted user-writable search paths.
Mandates integrity verification mechanisms for software and firmware, detecting and preventing unauthorized substitutions of system executables and DLLs via untrusted search paths during installer execution.
Deploys malicious code protection at system entry points and performs real-time/periodic scans to block or quarantine attacker-placed malicious binaries in user-writable directories targeted by the installer's search paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The untrusted search path in the elevated installer directly enables path interception by search order hijacking (T1574.008) to load attacker-controlled binaries, facilitating local privilege escalation (T1068).
NVD Description
The application's installer runs with elevated privileges but resolves system executables and DLLs using untrusted search paths that can include user-writable directories, allowing a local attacker to place malicious binaries with the same names and have them loaded or executed…
more
instead of the legitimate system files, resulting in local privilege escalation.
Deeper analysisAI
CVE-2026-3780 is a local privilege escalation vulnerability in the Foxit PDF Reader installer. The installer executes with elevated privileges but resolves system executables and DLLs via untrusted search paths that include user-writable directories. This flaw, tied to CWE-426 (Untrusted Search Path), enables a local attacker to substitute malicious binaries named identically to legitimate system files, causing them to load or execute in place of the originals. It carries a CVSS v3.1 score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-01.
A low-privileged local attacker can exploit this by placing malicious files in a user-writable directory on the untrusted search path. Exploitation requires user interaction, such as triggering the installer, after which the attacker's binaries run with elevated privileges instead of system files. This achieves high-impact confidentiality, integrity, and availability compromises, culminating in full local privilege escalation.
Foxit's security bulletin at https://www.foxit.com/support/security-bulletins.html details the issue and outlines mitigation, including patch availability and updated installer recommendations.
Details
- CWE(s)