cbcvebase.
CVE-2015-2432
published 2015-08-15

CVE-2015-2432: ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1…

PriorityP270critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.27%
98.0th percentile
ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37920.zip
filenameATMFD.DLL
  • Monitor for kernel crashes (PAGE_FAULT_IN_NONPAGED_AREA / BUGCHECK 0x50) originating from ATMFD.DLL, specifically write faults at ATMFD+0x345c9 involving an uninitialized pool pointer (EAX=a3a3a3a3) dereferenced via 'or dword ptr [eax+38h], 10h'.
  • Treat any crafted OTF/OpenType font file that triggers a malformed CFF table as a potential exploit artifact for CVE-2015-2432; the vulnerability is a write to an uninitialized address caused by the CFF table supplying an inflated pointer-array count (EBX=8) while only 4 pointers are initialized.
  • Enable Special Pools for ATMFD.DLL during forensic analysis or sandboxed detonation to force an immediate, deterministic crash when the bug is triggered, aiding reliable detection of exploit attempts.
  • ·The crash and uninitialized-pointer pattern (a3a3a3a3) is only reliably observable when Driver Verifier / Special Pools is enabled for ATMFD.DLL; on default Windows installations the pool bytes may differ, making the specific byte signature less reliable as a universal indicator.
  • ·Symbols for ATMFD.DLL may not be available in all environments, limiting the reliability of offset-based detection rules (e.g., ATMFD+0x345c9) across different patch levels or builds.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.