CVE-2015-3113

CRITICAL
2015-06-23 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 26, 2026 - 11:18 vuln.today
Added to CISA KEV
Nov 17, 2025 - 20:15 cisa
CISA KEV
PoC Detected
Nov 17, 2025 - 20:15 vuln.today
Public exploit code
Patch Released
Nov 17, 2025 - 20:15 nvd
Patch available
CVE Published
Jun 23, 2015 - 21:59 nvd
CRITICAL 9.8

Tags

Windows

Description

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.296 and 14.x through 18.x before 18.0.0.194 on Windows and OS X and before 11.2.202.468 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in June 2015.

Analysis

Adobe Flash Player contains a heap-based buffer overflow that allows remote code execution, exploited as a zero-day in June 2015 by APT3 (a Chinese cyber espionage group) in phishing campaigns targeting aerospace and defense organizations.

Technical Context

The CWE-787 heap overflow in Flash's media processing code allows memory corruption leading to arbitrary code execution. The exploit was delivered through Flash content embedded in web pages and targeted specific browser/Flash version combinations.

Affected Products

['Adobe Flash Player before 13.0.0.296 (Windows/OS X)', 'Adobe Flash Player 14.x through 18.x before 18.0.0.194 (Windows/OS X)', 'Adobe Flash Player before 11.2.202.468 (Linux)']

Remediation

Flash Player is end-of-life. Remove all Flash installations. Block Flash content at network perimeter and in browsers.

Priority Score

221
Low Medium High Critical
KEV: +50
EPSS: +92.4
CVSS: +49
POC: +20

Share

CVE-2015-3113 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy