Search
On this page ▾
CVE-2015-3113 — Adobe Flash Player Heap-Based Buffer Overflow Vulnerability

CVE-2015-3113

Adobe Flash Player — Heap Buffer Overflow Zero-Day Exploited by APT3 ('Operation Clandestine Wolf') and Exploit Kits; Emergency APSB15-11 (June 2015)
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What Is Adobe Flash Player?

Adobe Flash Player was the ubiquitous cross-platform multimedia browser plugin, installed on over 90% of internet-connected computers at peak deployment. Flash's universal presence made every Flash vulnerability a potential attack vector against virtually any Windows, macOS, or Linux system with a browser. Adobe ended Flash Player support December 31, 2020.

2015 was the worst year for Flash zero-days: CVE-2015-0311 (January), CVE-2015-0313 (February), CVE-2015-3043 (April), CVE-2015-3113 (June), CVE-2015-5119 (July), CVE-2015-5122 (July), CVE-2015-7645 (October), and CVE-2015-8651 (December) were all exploited as zero-days before Adobe released patches.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on April 13, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2015-3113 is a critical heap-based buffer overflow zero-day in Adobe Flash Player exploited by the Chinese-nexus threat actor APT3 (also tracked as UPS, Gothic Panda) in targeted spear-phishing campaigns against aerospace, defense, and telecommunications companies — an operation FireEye named "Operation Clandestine Wolf." Adobe released an emergency out-of-band patch APSB15-11 on June 23, 2015, approximately five days after active exploitation was detected. The vulnerability was simultaneously integrated into commercial exploit kits, exposing non-targeted users to drive-by attacks.

Affected Versions

Flash Player Platform Status
≤ 18.0.0.160 Windows / Mac Vulnerable
≤ 13.0.0.292 Windows / Mac (extended support) Vulnerable
≤ 11.2.202.466 Linux Vulnerable
18.0.0.194 Windows / Mac Fixed (APSB15-11)
13.0.0.296 Windows / Mac (extended support) Fixed (APSB15-11)
11.2.202.468 Linux Fixed (APSB15-11)
All versions All EOL — no further patches

Technical Details

Root Cause: Heap Buffer Overflow in Flash Media Handling

CVE-2015-3113 is a heap-based buffer overflow (CWE-787) in Adobe Flash Player's media processing or ActionScript runtime components. When Flash processes a specially crafted SWF file containing malformed media elements, the player writes data beyond the bounds of a heap-allocated buffer, corrupting adjacent heap memory in a way that enables control flow hijacking.

The exploitation pattern follows established Flash heap exploitation technique:

  1. Heap grooming — shape the Flash heap with ActionScript allocations to control layout
  2. Buffer overflow trigger — the crafted SWF causes Flash to write past the end of a heap buffer
  3. Function pointer overwrite — adjacent heap memory containing a vtable or callback pointer is overwritten
  4. ASLR/DEP bypass — typically combined with a separate information leak or heap spray for reliable address resolution
  5. Code execution — Flash executes attacker-controlled shellcode or ROP chain

APT3 Spear-Phishing Delivery

APT3 delivered CVE-2015-3113 via spear-phishing emails containing links to attacker-controlled web pages hosting the malicious Flash content. The landing pages were tailored to target profiles — defense contractors and aerospace companies — and the exploit executed silently when targets visited the link.

Attack Characteristics

Attribute Detail
Attack Vector Network — malicious SWF via web page or email link
Authentication None required
User Interaction None required (Flash auto-executes)
Zero-Day Exploited ~5 days before patch
APT Attribution APT3 / UPS / Gothic Panda (China-nexus)
Exploit Kits Rapidly integrated after APSB15-11
Delivery Spear-phishing (targeted) + drive-by (mass)

Discovery

FireEye discovered CVE-2015-3113 exploitation while investigating APT3 spear-phishing campaigns in June 2015. FireEye reported the vulnerability to Adobe on June 18, 2015, and Adobe released APSB15-11 five days later. FireEye published the Operation Clandestine Wolf report simultaneously with the patch.

Exploitation Context

  • Operation Clandestine Wolf: APT3 used CVE-2015-3113 in a targeted campaign against U.S. defense, aerospace, and telecommunications companies — consistent with the group's strategic espionage mission focused on defense industrial base targets and technology theft
  • Rapid exploit kit adoption: Within days of APSB15-11 publication, exploit kit operators integrated CVE-2015-3113 into Angler, Nuclear, and Magnitude kits for mass exploitation of unpatched users; the vulnerability's CVSS 9.8 and no-interaction requirement made it highly valuable
  • 2015 Flash zero-day epidemic: CVE-2015-3113 was the fourth Flash zero-day of 2015, cementing Flash's status as the most dangerous browser plugin and intensifying calls from Google, Mozilla, and security researchers for browsers to block or disable Flash by default
  • Flash EOL legacy: Flash is permanently end-of-life since December 2020; remaining Flash installations are permanently exposed to CVE-2015-3113 and all other known Flash vulnerabilities
  • CISA KEV (2022): Added April 2022

Remediation

CISA BOD 22-01 Deadline: May 4, 2022. The impacted product is end-of-life and should be disconnected if still in use.

  1. Remove Flash Player — uninstall from all systems. Adobe's Flash uninstaller and Microsoft's KB4577586 (Windows Update) remove Flash from Windows. Flash is permanently end-of-life with no further security updates.

  2. Migrate Flash-dependent applications — identify remaining Flash content (internal apps, kiosks, ICS HMIs) and migrate to HTML5 or another supported technology.

  3. Network isolation — Flash-dependent systems that cannot be decommissioned should be isolated from internet access and untrusted networks.

  4. Browser controls — all modern browsers have removed Flash support. IE11 with Flash (if still present) should be upgraded to Edge or Chrome.

Key Details

PropertyValue
CVE ID CVE-2015-3113
Vendor / Product Adobe — Flash Player
NVD Published2015-06-23
NVD Last Modified2025-11-17
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-787 — Out-of-Bounds Write find similar ↗
CISA KEV Added2022-04-13
CISA KEV Deadline2022-05-04
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-04. The impacted product is end-of-life and should be disconnected if still in use.

Timeline

DateEvent
2015-06-18CVE-2015-3113 zero-day exploited by APT3 in spear-phishing campaign targeting aerospace, defense, and telecommunications (Operation Clandestine Wolf)
2015-06-23Adobe releases emergency out-of-band APSB15-11; CVE-2015-3113 patched in Flash Player 18.0.0.194 (Windows/Mac) and 11.2.202.468 (Linux)
2015-06-23CVE-2015-3113 published by NVD
2015-06-23FireEye publishes 'Operation Clandestine Wolf' report documenting APT3 exploitation
2020-12-31Adobe Flash Player reaches end-of-life
2022-04-13Added to CISA Known Exploited Vulnerabilities catalog
2022-05-04CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2015-3113 Vulnerability Database
CISA KEV Catalog Entry US Government
Adobe Security Bulletin APSB15-11 — Security Update for Adobe Flash Player Vendor Advisory
FireEye — Operation Clandestine Wolf: Adobe Flash Zero-Day in APT3 Phishing Campaign Security Research

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML