cbcvebase.
CVE-2015-2459
published 2015-08-15

CVE-2015-2459: ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1…

PriorityP272critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.35%
98.1th percentile
ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability," a different vulnerability than CVE-2015-2458 and CVE-2015-2461.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37922.zip
otherATMFD+0x34072
otherATMFD+0x3407b
  • Enable Special Pools for ATMFD.DLL to force an immediate crash on trigger, aiding in detection and reproduction of the vulnerability in lab/forensic environments.
  • Look for pool tag 'Adbe' (Adobe font driver kernel pool allocations) in memory forensics; corruption or use-after-free of these allocations is the root cause mechanism of this vulnerability.
  • Delivery vector is a crafted OpenType Font (OTF) file processed by ATMFD.DLL; inspect OTF files with malformed CFF tables for exploitation of this CVE.
  • ·The vulnerability affects ATMFD.DLL across multiple Windows versions (Vista SP2 through Windows 10); the faulting offsets (0x34072 / 0x3407b) are specific to the vulnerable build and may differ across OS versions or patch levels.
  • ·The crash at ATMFD+0x34072 may not always be observed on default Windows installations without Special Pools enabled; detection based solely on crash signatures may miss exploitation on unmodified systems.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.