Search
On this page ▾
CVE-2013-0643 — Adobe Flash Player Incorrect Default Permissions Vulnerability

CVE-2013-0643

Adobe Flash Player — Incorrect Firefox Sandbox Permissions Enable Flash-Based Sandbox Escape in Paired Attack with CVE-2013-0648
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Adobe Flash Player?

Adobe Flash Player was a ubiquitous browser plugin enabling rich multimedia. Firefox's browser architecture includes a plugin sandbox — a security boundary around the Flash plugin process meant to limit what Flash can do even if exploited. The sandbox assigns permissions to the Flash process, and if those permissions are incorrect (too broad), a Flash vulnerability can be leveraged to escape the sandbox entirely. Adobe discontinued Flash Player on December 31, 2020.

Overview

CVE-2013-0643 is an incorrect default permissions vulnerability in Adobe Flash Player's Firefox plugin sandbox. The Firefox sandbox grants the Flash plugin process certain operating system permissions; the default permissions were set too broadly, allowing Flash code executing within the sandbox to perform privileged operations that should have been restricted. This permission misconfiguration was chained with CVE-2013-0648 (an ExternalInterface code execution flaw) to achieve a full sandbox escape — code execution inside Flash followed by exploitation of the excessive permissions to break out of Firefox's containment.

Adobe patched both vulnerabilities in Security Bulletin APSB13-08 on February 26, 2013.

Affected Versions

Component Vulnerable Versions Fixed Version
Adobe Flash Player (Firefox plugin) 11.6.602.168 and earlier 11.6.602.171
Adobe Flash Player (other browsers) Less affected by this specific sandbox issue See APSB13-08
Adobe AIR 3.6.0.597 and earlier See APSB13-08

Technical Details

Firefox's plugin architecture runs the Flash plugin in a separate process with restricted permissions — a design intended to limit the damage if Flash is exploited. CVE-2013-0643 is specifically about the permissions granted to that Flash plugin process being misconfigured (incorrect defaults).

The attack chain works as follows:

  1. CVE-2013-0648 achieves code execution inside the Flash plugin process (the sandboxed Flash process)
  2. CVE-2013-0643 exploits the fact that the sandboxed Flash process has incorrect permissions — it can perform OS-level operations that a properly sandboxed process should be unable to do
  3. Using these excessive permissions, the attacker's code escapes the Firefox sandbox and executes with full user-level privileges

This two-CVE chain is the Flash equivalent of the Adobe Reader CVE-2013-0640 + CVE-2013-0641 sandbox escape chain from the same month — demonstrating that multiple products' sandboxes were simultaneously being exploited by sophisticated actors.

Discovery

Discovered through analysis of zero-day exploits found in active targeted attack campaigns in February 2013.

Exploitation Context

CISA added this to the KEV catalog in September 2024, confirming historical confirmed exploitation. The CVE-2013-0643 + CVE-2013-0648 chain was used in targeted spear-phishing and water-holing attacks, delivering full code execution outside Firefox's plugin sandbox with no elevated privileges required from the victim.

Remediation

Adobe Flash Player reached end-of-life on December 31, 2020. Organizations should:

  1. Verify Flash Player is completely removed from all endpoints
  2. Check via endpoint management tools for any remaining Flash installations
  3. Audit legacy systems that required Flash — replace or isolate these
  4. Block .swf file delivery at email and web content filtering

Key Details

PropertyValue
CVE ID CVE-2013-0643
Vendor / Product Adobe — Flash Player
NVD Published2013-02-27
NVD Last Modified2025-10-22
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CISA KEV Added2024-09-17
CISA KEV Deadline2024-10-08
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2024-10-08. The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.

Timeline

DateEvent
2013-02Zero-day exploitation observed — CVE-2013-0643 and CVE-2013-0648 chained to escape Firefox Flash sandbox
2013-02-26Adobe releases APSB13-08 (Flash Player 11.6.602.171) patching both CVE-2013-0643 and CVE-2013-0648
2013-02-27CVE-2013-0643 published
2024-09-17Added to CISA Known Exploited Vulnerabilities catalog
2024-10-08CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2013-0643 Vulnerability Database
CISA KEV Catalog Entry US Government
Adobe Security Bulletin APSB13-08 Vendor Advisory

Last updated: 2026-05-22

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML