Cyber Resilience

CVE-2015-7645

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 15 October 2015

Published
15 October 2015
Modified
22 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8517 99.4th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-7645 is a high-severity an unspecified weakness vulnerability in Adobe Flash Player. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Flash Player versions 18.x through 18.0.0.252 and 19.x through 19.0.0.207 on Windows and OS X, as well as 11.x through 11.2.202.535 on Linux, contain an unspecified flaw that allows remote attackers to execute arbitrary code by means of a crafted SWF file. The issue carries a CVSS 3.1 base score of 7.8 and is tracked without an associated CWE.

Remote attackers can exploit the vulnerability by serving malicious SWF content that a user is tricked into opening, resulting in arbitrary code execution with full impacts on confidentiality, integrity, and availability under the conditions AV:L/AC:L/PR:N/UI:R/S:U.

Security advisories published by openSUSE in October 2015 address the flaw through updated Flash Player packages, while public reporting confirms the vulnerability was exploited in the wild that same month as part of the Pawn Storm campaign.

EU & UK References

Vulnerability details

Adobe Flash Player 18.x through 18.0.0.252 and 19.x through 19.0.0.207 on Windows and OS X and 11.x through 11.2.202.535 on Linux allows remote attackers to execute arbitrary code via a crafted SWF file, as exploited in the wild in October…

more

2015.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
19.0.0.185, 19.0.0.207 · 18.0.0.160 — 18.0.0.252 · ≤ 11.2.202.535
opensuse
evergreen
11.4
opensuse
opensuse
13.1, 13.2
suse
linux enterprise desktop
11, 12
suse
linux enterprise workstation extension
12
redhat
enterprise linux desktop
5.0, 6.0
redhat
enterprise linux eus
6.7
redhat
enterprise linux server
5.0, 6.0
redhat
enterprise linux server from rhui
5.0, 6.0
redhat
enterprise linux workstation
5.0, 6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the exact Flash Player flaw exploited by CVE-2015-7645.

prevent

Restricts or authorizes execution of mobile code (SWF files) that is the attack vector for this remote code-execution vulnerability.

prevent

Enforces least functionality by disabling or removing the vulnerable Flash Player component when it is not required.

References