What Is Adobe Flash Player?
Adobe Flash Player was the ubiquitous cross-platform multimedia browser plugin, installed on over 90% of internet-connected computers at peak deployment. Flash's universal presence made every Flash vulnerability a potential attack vector against virtually any Windows, macOS, or Linux system with a browser. Adobe ended Flash Player support December 31, 2020.
2015 was the worst year for Flash zero-days: CVE-2015-0311 (January), CVE-2015-0313 (February), CVE-2015-3043 (April), CVE-2015-5119 (July), CVE-2015-5122 (July), CVE-2015-7645 (October), and CVE-2015-8651 (December) were all exploited as zero-days before Adobe released patches.
Overview
CVE-2015-3043 is a critical memory corruption zero-day in Adobe Flash Player that was actively exploited by the Angler and Magnitude exploit kits in malvertising campaigns before Adobe released a patch. The vulnerability was detected in the wild approximately one week before Adobe's April 2015 Patch Tuesday bulletin APSB15-06 (April 14, 2015). No user interaction was required — any user with Flash enabled visiting a page serving malicious Flash content was silently compromised.
Affected Versions
| Flash Player | Platform | Status |
|---|---|---|
| ≤ 17.0.0.134 | Windows / Mac | Vulnerable |
| ≤ 11.2.202.457 | Linux | Vulnerable |
| ≥ 17.0.0.169 | Windows / Mac | Fixed (APSB15-06) |
| ≥ 11.2.202.460 | Linux | Fixed (APSB15-06) |
| All versions | All | EOL — no further patches |
Technical Details
Root Cause: Flash Player Memory Corruption
CVE-2015-3043 involves an out-of-bounds write or similar memory corruption (CWE-787) in Adobe Flash Player's handling of specific SWF content. During ActionScript execution or SWF parsing, Flash writes data to an incorrect or oversized memory location, corrupting adjacent heap memory in a way that enables control flow hijacking.
The exploitation technique follows the standard Flash UAF/overflow pattern:
- Heap grooming — shape the Flash heap to place an attacker-controlled structure adjacent to the corrupted region
- Corrupt target — trigger the memory corruption to overwrite a function pointer or object vtable
- ASLR bypass — combine with an information disclosure for reliable address targeting
- Code execution — Flash jumps to attacker-controlled code; payload is decoded and executed
Exploit Kit Delivery Context
CVE-2015-3043 entered exploit kit rotation approximately one week before Adobe patched it — a pattern consistent with a zero-day previously held by a threat actor being shared with or sold to exploit kit operators. Angler and Magnitude exploit kits distributed the exploit in malvertising campaigns targeting mainstream websites through compromised ad networks.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — malicious SWF via web page or ad |
| Authentication | None required |
| User Interaction | None required (Flash auto-executes) |
| Zero-Day | Actively exploited ~1 week before patch |
| Exploit Kits | Angler, Magnitude (April 2015) |
| Delivery | Malvertising campaigns |
Discovery
Identified through exploit kit traffic analysis by security researchers tracking Angler and Magnitude campaigns in early April 2015. Adobe accelerated APSB15-06 to address the zero-day on April 14, 2015 (April Patch Tuesday).
Exploitation Context
- Flash zero-day epidemic of 2015: CVE-2015-3043 was the third Flash zero-day exploited in 2015 — following CVE-2015-0311 (January) and CVE-2015-0313 (February) — demonstrating that multiple threat actors held independent Flash zero-days; the pace of Flash zero-day exploitation in 2015 intensified calls from security researchers for Flash to be killed off entirely
- Malvertising scale: Angler and Magnitude serving malicious Flash via ad networks exposed users of major, otherwise safe websites — estimated millions of users exposed during the pre-patch window
- Ransomware payload delivery: Angler frequently delivered ransomware (CryptoLocker, CryptoWall variants) as the payload after Flash exploitation; CVE-2015-3043 was a ransomware delivery vehicle for users in the April 2015 window
- Flash EOL legacy: Flash is permanently end-of-life since December 2020; remaining Flash installations are permanently exposed to all known Flash vulnerabilities including CVE-2015-3043
- CISA KEV (2022): Added March 2022
Remediation
-
Remove Flash Player — uninstall from all systems. Adobe's Flash uninstaller and Microsoft's KB4577586 (Windows Update) remove Flash from Windows. Flash is permanently end-of-life with no further security updates.
-
Migrate Flash-dependent applications — identify remaining Flash content (internal apps, kiosks, ICS HMIs) and migrate to HTML5 or another supported technology.
-
Network isolation — Flash-dependent systems that cannot be decommissioned should be isolated from internet access and untrusted networks.
-
Browser controls — all modern browsers have removed Flash support. IE11 with Flash (if still present) should be upgraded to Edge or Chrome.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2015-3043 |
| Vendor / Product | Adobe — Flash Player |
| NVD Published | 2015-04-14 |
| NVD Last Modified | 2025-11-17 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-787 — Out-of-Bounds Write find similar ↗ |
| CISA KEV Added | 2022-03-03 |
| CISA KEV Deadline | 2022-03-24 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2015-04-07 | CVE-2015-3043 zero-day actively exploited by exploit kits before patch |
| 2015-04-14 | Adobe Security Bulletin APSB15-06 released; CVE-2015-3043 patched in Flash Player 17.0.0.169 |
| 2015-04-14 | CVE-2015-3043 published by NVD |
| 2020-12-31 | Adobe Flash Player reaches end-of-life |
| 2022-03-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-03-24 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2015-3043 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Adobe Security Bulletin APSB15-06 — Security Update for Adobe Flash Player | Vendor Advisory |