CVE-2016-4171
Published: 16 June 2016
Summary
CVE-2016-4171 is a critical-severity an unspecified weakness vulnerability in Adobe Flash Player. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2016-4171 is an unspecified vulnerability affecting Adobe Flash Player versions 21.0.0.242 and earlier. The flaw carries a CVSS score of 9.8 and is categorized under NVD-CWE-noinfo, indicating insufficient details were available at the time of disclosure to assign a more specific weakness identifier.
Remote attackers can exploit the issue over the network without authentication or user interaction to execute arbitrary code, resulting in complete compromise of confidentiality, integrity, and availability on affected systems. The vulnerability was observed being exploited in the wild during June 2016.
Security advisories referenced in OpenSUSE mailing lists, SecurityFocus, and SecurityTracker address the issue through updated packages and vendor patches for supported distributions and platforms. The public references primarily consist of distribution-specific announcements rather than detailed technical analysis from the vendor.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-5172
Vulnerability details
Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in June 2016.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remediate the remote-code-execution flaw in Adobe Flash Player.
Restricts or disables execution of mobile code (Flash) that can be abused for unauthenticated remote code execution.
Deploys anti-malware mechanisms to block or alert on malicious payloads delivered through the Flash vulnerability.