Search
On this page ▾
CVE-2015-0311 — Adobe Flash Player Remote Code Execution Vulnerability

CVE-2015-0311

Adobe Flash Player — Zero-Day RCE Exploited by Angler Exploit Kit Before Patch; Malvertising Wave; Out-of-Band Patch APSB15-03
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What Is Adobe Flash Player?

Adobe Flash Player was a ubiquitous browser plugin for interactive multimedia, installed on over 90% of internet-connected computers at its peak. Its cross-platform reach made every Flash vulnerability a potential attack vector against virtually any operating system. Adobe ended Flash Player support December 31, 2020.

See related Flash vulnerabilities from this campaign: CVE-2015-0310 (ASLR bypass paired with this RCE), CVE-2015-0313 (next major Flash zero-day, February 2015).

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on April 13, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2015-0311 is a critical remote code execution zero-day in Adobe Flash Player that was actively exploited by the Angler exploit kit in large-scale malvertising campaigns before Adobe released a patch. Users visiting web pages or viewing ads containing malicious Flash content were silently compromised without any interaction. Adobe released an out-of-band patch APSB15-03 on January 27, 2015 — five days after the zero-day was discovered in active exploitation. The CVSS 9.8 reflects its network accessibility, no authentication required, and no user interaction (the malicious SWF auto-executes in Flash Player).

Affected Versions

Flash Player Platform Status
≤ 16.0.0.296 Windows / Mac Vulnerable
≤ 11.2.202.442 Linux Vulnerable
≥ 16.0.0.305 Windows / Mac Fixed (APSB15-03)
≥ 11.2.202.443 Linux Fixed (APSB15-03)
All versions All EOL — no further patches

Technical Details

Root Cause: Memory Corruption in Flash Content Processing

CVE-2015-0311 involves a memory corruption vulnerability — likely a use-after-free, buffer overflow, or type confusion — in the way Flash Player processes certain SWF content. The exact vulnerability allows an attacker to achieve arbitrary code execution when a specially crafted SWF file is opened or rendered in Flash Player.

Zero-Day Exploitation Timeline

The exploitation window demonstrated the speed of modern exploit kit operations:

  • January 21: Angler begins mass-deploying CVE-2015-0311 in malvertising campaigns
  • January 22: Adobe patches a related ASLR bypass (CVE-2015-0310) in APSB15-02, but CVE-2015-0311 remains a zero-day
  • January 23: Security researchers (including Kafeine) identify and publish details of the zero-day exploitation in the wild
  • January 27: Adobe issues out-of-band APSB15-03 — unusually fast turnaround for a critical Flash zero-day

Pairing With CVE-2015-0310

In Angler's January 2015 campaign, CVE-2015-0311 was paired with CVE-2015-0310 (ASLR bypass):

  1. The malicious SWF first triggers CVE-2015-0310 to learn the Flash process memory layout
  2. With addresses known, CVE-2015-0311 builds a reliable ROP chain and achieves code execution
  3. A payload (typically a downloader or backdoor) is delivered silently to the victim

Attack Characteristics

Attribute Detail
Attack Vector Network — malicious SWF via web page or ad
Authentication None required
User Interaction None required (auto-executes in Flash)
Exploit Kit Angler (January 2015 campaign)
Delivery Malvertising on major websites
Paired CVE-2015-0310 for ASLR defeat

Discovery

Discovered during active exploitation analysis by security researcher Kafeine and others tracking Angler exploit kit campaigns in January 2015. The zero-day was in active use before Adobe was notified, leading to the rapid out-of-band patch cycle.

Exploitation Context

  • Angler exploit kit zero-day: Angler was the most sophisticated commercial exploit kit of the era and uniquely known for incorporating Flash zero-days before patches were available — CVE-2015-0311 was exploited for 6 days before any patch existed
  • Malvertising scale: The January 2015 Angler malvertising campaign used CVE-2015-0311 to deliver payloads to users of major websites through compromised advertising networks; estimates suggest hundreds of thousands of visitors were exposed per day
  • No user interaction required: Unlike phishing attacks requiring clicks, the Flash auto-execution meant any user with Flash enabled visiting a page with the malicious ad was silently compromised
  • Payload delivery: Angler's typical payloads in this campaign included ransomware and banking trojans
  • CISA KEV (2022): Added April 2022

Remediation

CISA BOD 22-01 Deadline: May 4, 2022. The impacted product is end-of-life and should be disconnected if still in use.

  1. Remove Flash Player — uninstall completely from all systems. Adobe's Flash uninstaller and Microsoft's KB4577586 (distributed via Windows Update) remove Flash from Windows systems.

  2. Migrate Flash-dependent applications — any remaining Flash dependency is permanently unpatchable and a source of ongoing risk; migrate to HTML5.

  3. Network isolation — systems that cannot remove Flash should be isolated from untrusted networks and internet access.

  4. Browser controls — all modern browsers have removed Flash support. Legacy browsers with Flash enabled should be replaced with Edge or Chrome.

Key Details

PropertyValue
CVE ID CVE-2015-0311
Vendor / Product Adobe — Flash Player
NVD Published2015-01-23
NVD Last Modified2025-11-17
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer find similar ↗
CISA KEV Added2022-04-13
CISA KEV Deadline2022-05-04
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-04. The impacted product is end-of-life and should be disconnected if still in use.

Timeline

DateEvent
2015-01-21Angler exploit kit begins exploiting CVE-2015-0311 zero-day in malvertising campaigns
2015-01-22Adobe releases APSB15-02 (patches CVE-2015-0310 ASLR bypass; CVE-2015-0311 still unpatched)
2015-01-23CVE-2015-0311 published by NVD; active zero-day exploitation confirmed
2015-01-27Adobe releases out-of-band APSB15-03 patching CVE-2015-0311
2020-12-31Adobe Flash Player reaches end-of-life
2022-04-13Added to CISA Known Exploited Vulnerabilities catalog
2022-05-04CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2015-0311 Vulnerability Database
CISA KEV Catalog Entry US Government
Adobe Security Bulletin APSB15-03 — Security Update for Adobe Flash Player (Out-of-Band) Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML