Cyber Resilience

CVE-2013-0643

HighCISA KEVActive ExploitationEUVD Exploited

Published: 27 February 2013

Published
27 February 2013
Modified
21 April 2026
KEV Added
17 September 2024
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5865 98.2th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-0643 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Adobe Flash Player. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2013-0643 is an improper privilege restriction issue (CWE-269) in the Firefox sandbox implementation within Adobe Flash Player. It affects versions before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, as well as versions before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, and carries a CVSS 3.1 score of 8.8.

Remote attackers can exploit the flaw by serving crafted SWF content that bypasses sandbox restrictions, resulting in arbitrary code execution on the target system. No user privileges are required beyond visiting a malicious page or opening malicious content, and the issue was observed being exploited in the wild in February 2013.

Security advisories and patches from Adobe (APSB13-08), Red Hat (RHSA-2013-0574), and openSUSE direct administrators to apply the updated Flash Player releases that enforce proper sandbox privileges.

The flaw's public exploitation in February 2013 underscores the need for rapid patching of Flash deployments in browser environments.

EU & UK References

Vulnerability details

The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, does not properly restrict privileges, which makes it easier for remote attackers…

more

to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.

CWE(s)
KEV Date Added
17 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 10.3.183.67 · 11.0 — 11.6.602.171 · 11.0 — 11.2.202.273
redhat
enterprise linux desktop
6.0
redhat
enterprise linux eus
5.9, 6.4
redhat
enterprise linux server
6.0
redhat
enterprise linux server aus
5.9, 6.4
redhat
enterprise linux workstation
6.0
opensuse
opensuse
11.4, 12.1
suse
linux enterprise desktop
10, 11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of Adobe-supplied Flash Player patches that correct the sandbox privilege enforcement flaw.

prevent

Enforces least-privilege restrictions on the Flash sandbox, directly mitigating the CWE-269 improper privilege assignment that enables arbitrary code execution.

SC-18 Mobile Code partial match
prevent

Controls the execution and privileges of mobile code (SWF) within browsers, limiting the attack surface exploited by crafted Flash content.

References