cbcvebase.
CVE-2015-0359
published 2015-04-14

CVE-2015-0359: Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux…

PriorityP181critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
95.18%
99.9th percentile
Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0346.

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
adobeflash_player<= 13.0.0.264
adobeflash_player<= 11.2.202.451
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
opensuseopensuse
opensuseopensuse
redhatenterprise_linux_desktop_supplementary
redhatenterprise_linux_desktop_supplementary
redhatenterprise_linux_server_supplementary
redhatenterprise_linux_server_supplementary
redhatenterprise_linux_server_supplementary_eus
redhatenterprise_linux_workstation_supplementary

Detection & IOCsextracted from sources · hover to see the quote

hash049ff69bc23f36a78d86bbf1356c2f63c
hashd45808cfa6f3cbfb343fdea269fdc375
pathdata/exploits/CVE-2015-0359/msf.swf
urlhttps://helpx.adobe.com/security/products/flash-player/apsb15-06.html
urlhttps://www.fireeye.com/blog/threat-research/2015/04/angler_ek_exploiting.html
urlhttp://malware.dontneedcoffee.com/2015/04/cve-2015-0359-flash-up-to-1700134-and.html
  • The exploit targets specific Flash Player versions: 13.0.0.277 and 17.0.0.134 use a distinct exploit trigger path (CVE-2015-X/UAF), while 13.0.0.250–13.0.0.269 and 15.0.0.189–16.0.0.305 use CVE-2015-0313. Detection should flag Flash versions 17.0.0.134 and 13.0.0.277 as actively exploited.
  • The Angler EK exploit SWF uses a multi-layer packing technique via 'Loader::loadbytes()' to embed an encoded inner SWF that is decoded and loaded entirely in memory without being written to disk — look for in-memory SWF loading without disk artifacts.
  • The exploit uses ActionScript workers (Flash threads) to free a ByteArray assigned to ApplicationDomain.domainMemory without notifying subscribers, triggering a UAF. Behavioral detection should monitor for ApplicationDomain.domainMemory assignment followed by worker-side ByteArray.clear() calls.
  • The Metasploit module targets Windows 7 SP1 (32-bit) with IE 8 or IE11 and Flash 17.x. Browser/OS fingerprinting in HTTP requests matching this combination should be treated as high-risk for this exploit.
  • The HanJuan exploit kit used false ads and shortened URLs to deliver CVE-2015-0359 exploits. Shortened URL redirects leading to SWF delivery should be flagged in proxy/web gateway logs.
  • The exploit SWF uses variable substitution, NOP insertion, and JavaScript function hooks for obfuscation. Deobfuscation pipelines should look for regex/math/concat/split/replace chains constructing values assigned to variables in JS wrapping malicious SWFs.
  • ·The sample attributed to CVE-2015-0359 in the Angler EK (MD5: 049ff69bc23f36a78d86bbf1356c2f63c) was assessed by Unit 42 to actually exploit a distinct UAF vulnerability they call 'CVE-2015-X', not a double-free as described in the official CVE-2015-0359. The official CVE describes a double-free, but the in-the-wild exploit is a UAF.
  • ·Both CVE-2015-0359 and CVE-2015-X were fixed simultaneously in Flash Player 17.0.0.169 (April 14, 2015). Exploit activity targeting Flash 17.0.0.134 may be attributed to either CVE in threat intelligence reports.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.