CVE-2016-4117
Published: 11 May 2016
Summary
CVE-2016-4117 is a critical-severity an unspecified weakness vulnerability in Redhat Enterprise Linux Desktop. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-18 (Mobile Code).
Deeper analysis
Adobe Flash Player versions 21.0.0.226 and earlier contain a remote code execution vulnerability that can be triggered through unspecified vectors. The flaw received a CVSS score of 9.8 and is tracked under CVE-2016-4117 with no associated CWE entry.
Remote attackers can exploit the issue over the network without authentication or user interaction to execute arbitrary code on affected systems. The vulnerability was actively exploited in the wild during May 2016.
OpenSUSE and Red Hat security advisories reference distribution-specific updates that address the flaw in Adobe Flash Player packages. The issue's public disclosure coincided with observed in-the-wild exploitation campaigns.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-5118
Vulnerability details
Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remediate the RCE flaw in Adobe Flash Player 21.0.0.226 and earlier.
Enforces least functionality by disabling or removing the vulnerable Flash Player component so the exploit vector cannot be reached.
Restricts or authorizes mobile code (Flash) execution, blocking the network-delivered arbitrary-code payloads described in the CVE.