cbcvebase.
CVE-2015-0336
published 2015-03-13

CVE-2015-0336: Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute…

PriorityP181critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.54%
99.3th percentile
Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0334.

Affected

17 ranges
VendorProductVersion rangeFixed in
adobeflash_player<= 13.0.0.264
adobeflash_player<= 11.2.202.442
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/CVE-2015-0336/msf.swf
pathdata/exploits/CVE-2015-0336/trigger.swf
urlhttp://malware.dontneedcoffee.com/2015/03/cve-2015-0336-flash-up-to-1600305-and.html
urlhttps://www.fireeye.com/blog/threat-research/2015/03/cve-2015-0336_nuclea.html
urlhttps://blog.malwarebytes.org/exploits-2/2015/03/nuclear-ek-leverages-recently-patched-flash-vulnerability/
urlhttp://googleprojectzero.blogspot.com/2015/04/a-tale-of-two-exploits.html
domainjs.sonoo.info
domainmyfilestore.com
domainurl4short.info
domainfilestore72.info
urlhttp://myfilestore.com/download.php?id=c01aa495
urlhttp://myfilestore.com/download.php?id=728768e6
urlhttp://filestore72.info/download.php?id=79ad4669
urlhttp://filestore72.info/download.php?id=faa55a6b
  • The exploit delivers two SWF files: a main exploit SWF (msf.swf) and a trigger SWF (trigger.swf), both served with Content-Type application/x-shockwave-flash. Detect HTTP responses serving SWF content referencing CVE-2015-0336 exploit paths.
  • The Metasploit module targets Windows 7 SP1 (32-bit) with IE 8/IE11 and Adobe Flash 16.0.0.305 specifically. Browser requirement checks for Flash version matching ^16\. — use this to scope detection to vulnerable Flash versions.
  • The Angler Exploit Kit used 302 cushioning and domain shadowing to deliver the Flash CVE-2015-0336 exploit. The function name 'flash_run' appears in the exploit kit's deobfuscated code as the handler for this specific CVE.
  • Angler EK payload was delivered as an LZMA compressed SWF followed by an encrypted malware payload. Detect LZMA-compressed SWF files in HTTP traffic as a sign of Angler EK exploitation.
  • The exploit HTML template embeds the SWF via an <object> tag with FlashVars parameters 'sh' and 'tr'. Detect HTML pages containing both FlashVars with 'sh=' and 'tr=' parameters alongside SWF object tags as a potential exploit delivery indicator.
  • The exploit targets the NetConnection class in Adobe Flash Player. Monitor for Flash processes spawning unexpected child processes (e.g., cmd.exe, powershell.exe) as a post-exploitation indicator.
  • ·The Metasploit module's browser requirements restrict exploitation to Windows 7 SP1 (32-bit) with Internet Explorer and Flash versions matching ^16.x. The module will not fire against other OS/browser/Flash version combinations without modification.
  • ·CVE-2015-0336 is a distinct type confusion vulnerability from CVE-2015-0334, though both affect the same Flash Player versions and were fixed in the same advisory (APSB15-05). Ensure detection rules differentiate between the two CVEs.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.