Cyber Resilience

CVE-2015-0311

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 23 January 2015

Published
23 January 2015
Modified
21 April 2026
KEV Added
13 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9255 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-0311 is a critical-severity an unspecified weakness vulnerability in Adobe Flash Player. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Flash Player contains an unspecified vulnerability affecting versions through 13.0.0.262 as well as 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X, and through 11.2.202.438 on Linux. The flaw permits remote code execution and carries a CVSS 3.1 base score of 9.8.

Remote attackers can exploit the issue over the network without authentication or user interaction beyond normal rendering of Flash content, achieving arbitrary code execution on affected systems. The vulnerability was observed being exploited in the wild during January 2015.

Adobe addressed the issue in security bulletins APSA15-01 and APSB15-03, which describe the availability of updated Flash Player builds for the supported platforms. Additional vendor advisories from distributions such as openSUSE provide corresponding package updates.

EU & UK References

Vulnerability details

Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild…

more

in January 2015.

CWE(s)
KEV Date Added
13 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 11.2.202.438 · ≤ 13.0.0.262 · 14.0.0.125 — 16.0.0.287
suse
linux enterprise desktop
11, 12
suse
linux enterprise workstation extension
12
microsoft
internet explorer
10, 11
microsoft
edge
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches (APSB15-03) that eliminate the remote code execution flaw in Flash Player.

prevent

Explicitly governs use of mobile code technologies such as Flash, allowing organizations to block or restrict the vector used for unauthenticated remote exploitation.

preventdetect

Provides malicious-code detection and blocking mechanisms that can intercept exploit payloads delivered through the vulnerable Flash Player.

References