cbcvebase.
CVE-2014-0515
published 2014-04-29

CVE-2014-0515: Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux…

PriorityP185critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
94.57%
99.8th percentile
Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in April 2014.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobeflash_player>= 11.0 < 11.2.202.34611.2.202.346
adobeflash_player>= 11.0 < 11.7.700.27911.7.700.279
adobeflash_player>= 11.8 < 13.0.0.20613.0.0.206

Detection & IOCsextracted from sources · hover to see the quote

hash8A5EDD1E23DB8054E6B7B76193A70EDC7C0924320F4D26AB963AA53CEA35AB90
hashA1465ECE32FA3106AA88FD666EBF8C78
filenamen3.swf
path/modules/n3.swf
path/modules/2.swf
path/modules/1.swf
path/modules/nu.swf
path/load_module.php?user=
domainwww.rouleta.org
domaintsp-team.com
domainwww.air-bilet.ru
domainwww.cook-n-eat.net
domainwww.preotech.ru
snort
SID 30876
snort
SID 30877
snort
SIDs 31229-31232
  • CVE-2014-0515 exploits were delivered via SWF files with short/simple names (e.g., n3.swf, nu.swf, 1.swf, 2.swf) under the /modules/ URI path in the Bleeding Life exploit kit; monitor HTTP requests matching this pattern.
  • Bleeding Life landing page URI pattern uses /load_module.php?user= with values n1, 1, 2, or 11; regex user=(n1|11?|2) can be used for detection.
  • The CVE-2014-0515 Flash exploit (n3.swf hash) was shared between the Bleeding Life and Nuclear exploit kits; detections for one kit may apply to the other.
  • Nuclear exploit kit delivered CVE-2014-0515 alongside CVE-2012-0507 (JAR) and Exploit.PDF-JS (PDF); correlate multi-stage downloads of SWF+JAR+PDF from the same host as a strong indicator of Nuclear EK activity.
  • Win32/Zemot was the payload dropped after successful CVE-2014-0515 exploitation in the Nuclear EK campaign; hunt for the associated EXE hash on endpoints.
  • ·The Bleeding Life exploit kit hosting domains listed were observed over a 30-day window at time of reporting; they may no longer be active or may have rotated.
  • ·The CVE-2014-0515 exploits targeted Windows Flash Player users specifically; Linux and Mac users were also affected per the advisory but active in-the-wild exploitation was Windows-focused.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.