CVE-2008-5499

Adobe Flash Player ActionScript Launch Command Execution Vulnerability

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-5499. PoCs published by Metasploit, 0a29406d9794e4f9b30b3c5d6702c708, including Metasploit module exploits/linux/browser/adobe_flashplayer_aslaunch.

AI-analyzed exploit summary This Metasploit module exploits CVE-2008-5499, a command execution vulnerability in Adobe Flash Player for Linux (versions 10.0.12.36 and 9.0.151.0 and prior). It leverages shell metacharacters in the ActionScript launch method to achieve RCE when the victim loads a malicious SWF file.

Description

Unspecified vulnerability in Adobe Flash Player for Linux 10.0.12.36, and 9.0.151.0 and earlier, allows remote attackers to execute arbitrary code via a crafted SWF file.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/18761

This Metasploit module exploits CVE-2008-5499, a command execution vulnerability in Adobe Flash Player for Linux (versions 10.0.12.36 and 9.0.151.0 and prior). It leverages shell metacharacters in the ActionScript launch method to achieve RCE when the victim loads a malicious SWF file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Flash Player for Linux (10.0.12.36, 9.0.151.0 and prior)
No auth needed
Prerequisites: Victim must have Adobe AIR installed · Victim must load the malicious SWF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by 0a29406d9794e4f9b30b3c5d6702c708 · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb

This Metasploit module exploits CVE-2008-5499, a command execution vulnerability in Adobe Flash Player for Linux (versions 10.0.12.36 and 9.0.151.0 and prior) via shell metacharacters in the ActionScript launch method. It delivers a malicious SWF file to trigger the vulnerability and execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Flash Player for Linux (versions 10.0.12.36 and 9.0.151.0 and prior)
No auth needed
Prerequisites: Victim must have Adobe AIR installed · Victim must visit a malicious webpage hosting the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1021458
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/33221
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/3449
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2008-1047.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34226
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/33294
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32896
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/50796
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200903-23.xml
Patch, Vendor Advisory x_refsource_confirm
http://www.adobe.com/support/security/bulletins/apsb08-24.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/47445
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/33267

Scores

EPSS 0.7874
EPSS Percentile 99.5%

Details

CWE
CWE-94
Status published
Products (6)
adobe/flash_player_for_linux 9.0.31
adobe/flash_player_for_linux 9.0.48.0
adobe/flash_player_for_linux 9.0.115.0
adobe/flash_player_for_linux 9.0.124.0
adobe/flash_player_for_linux 10.0.12.36
adobe/flash_player_for_linux < 9.0.151.0
Published Dec 18, 2008
Tracked Since Feb 18, 2026