cbcvebase.
CVE-2015-0310
published 2015-01-23

CVE-2015-0310: Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict…

PriorityP183high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
15.22%
96.3th percentile
Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism on Windows, and have an unspecified impact on other platforms, via unknown vectors, as exploited in the wild in January 2015.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobeflash_player< 11.2.202.43811.2.202.438
adobeflash_player< 13.0.0.26213.0.0.262
adobeflash_player>= 14.0 < 16.0.0.28716.0.0.287

Detection & IOCsextracted from sources · hover to see the quote

hash1f6a4a3314b250e73a5649e2495ec131b27840d0948065f2a9c283a689a7b944
snort
SIDs: 29066, 31332, 33182, 33183, 33184, 33185, 33186, 33187, 33188
  • The Angler EK 0-day exploit is selectively served only to specific User Agents — Chrome-based or non-standard user agents are served other exploits but NOT the Flash 0-day. Detection should focus on IE/Firefox UA strings receiving Flash exploit content.
  • Angler EK domains hosting the CVE-2015-0310 exploit were registered under the single email address [email protected]. Pivoting on this registrant can surface additional malicious infrastructure.
  • Domains hosting the exploit were rapidly registered and rotated, typically used for only ~24 hours. Monitor for newly registered domains resolving to 46.105.251.7 or 94.23.247.180.
  • The exploit runs entirely in memory and does not use common monitored API calls such as CreateProcess or WriteFile, making host-based AV detection harder. Focus on memory-based or network-based detection.
  • A GET request to www.ecb.europa.eu observed post-compromise is a high-probability indicator of Bedep infection, which was a primary payload delivered via the Angler EK campaign exploiting CVE-2015-0310.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.