Cyber Resilience

CVE-2018-4878

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 06 February 2018

Published
06 February 2018
Modified
18 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9351 99.8th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-4878 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Flash Player. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

A use-after-free vulnerability, tracked as CVE-2018-4878 and assigned CWE-416, affects Adobe Flash Player versions prior to 28.0.0.161. It stems from a dangling pointer in the Primetime SDK during media player handling of listener objects, which can be triggered to permit arbitrary code execution. The flaw carries a CVSS 3.1 base score of 7.8 under the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

An attacker can exploit the issue locally without authentication, provided the victim interacts with malicious content such as a crafted document or web page. Successful exploitation grants full control over the affected process, enabling the attacker to execute arbitrary code with the same privileges as the Flash Player instance.

The vulnerability was actively exploited in the wild during January and February 2018, including in targeted campaigns attributed to Group 123 and large-scale malspam operations. Public references such as the Talos Intelligence report, Morphisec analysis, Red Hat RHSA-2018:0285, and vendor security trackers document these incidents and point to updated Flash Player releases as the primary remediation path.

EU & UK References

Vulnerability details

A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution.…

more

This was exploited in the wild in January and February 2018.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 28.0.0.161 · ≤ 28.0.0.161 · ≤ 28.0.0.161
redhat
enterprise linux desktop
6.0
redhat
enterprise linux server
6.0
redhat
enterprise linux workstation
6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that eliminate the use-after-free flaw in Flash Player.

prevent

Establishes usage restrictions and implementation guidance for mobile code technologies such as Flash, blocking the attack vector before malicious SWF content executes.

prevent

Enforces least functionality by disabling or removing the vulnerable Flash Player component when it is not an explicitly authorized business requirement.

References