Cyber Resilience

CVE-2013-0648

HighCISA KEVActive ExploitationEUVD Exploited

Published: 27 February 2013

Published
27 February 2013
Modified
21 April 2026
KEV Added
17 September 2024
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5546 98.1th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-0648 is a high-severity an unspecified weakness vulnerability in Adobe Flash Player. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an unspecified flaw in the ExternalInterface ActionScript functionality of Adobe Flash Player. It affects versions before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, as well as versions before 10.3.183.67 and 11.x before 11.2.202.273 on Linux.

Remote attackers can exploit the issue by supplying crafted SWF content to a vulnerable player, resulting in arbitrary code execution on the target system. The CVSS 3.1 score of 8.8 reflects network attack vector, low complexity, and impacts to confidentiality, integrity, and availability.

Adobe Security Bulletin APSB13-08 along with corresponding Red Hat and openSUSE advisories direct users to apply the vendor-supplied updates that resolve the flaw. The vulnerability was observed being exploited in the wild during February 2013.

EU & UK References

Vulnerability details

Unspecified vulnerability in the ExternalInterface ActionScript functionality in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, allows remote attackers to execute arbitrary code via…

more

crafted SWF content, as exploited in the wild in February 2013.

CWE(s)
KEV Date Added
17 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 10.3.183.67 · 11.0 — 11.6.602.171 · 11.0 — 11.2.202.273
opensuse
opensuse
11.4, 12.1
suse
linux enterprise desktop
10, 11
redhat
enterprise linux desktop
6.0
redhat
enterprise linux eus
5.9, 6.4
redhat
enterprise linux server
6.0
redhat
enterprise linux server aus
5.9, 6.4
redhat
enterprise linux workstation
6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying vendor patches to remediate the Flash Player ExternalInterface flaw before crafted SWF content can execute arbitrary code.

prevent

Restricts or disables execution of untrusted mobile code (SWF) in Flash Player, blocking the remote attack vector described in the CVE.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block exploit-bearing SWF files targeting the ExternalInterface vulnerability.

References