CVE-2014-0497

CRITICAL KEV

Adobe Flash Player Integer Underflow Remote Code Execution

Title source: metasploit

Exploitation Summary

CVE-2014-0497 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 17, 2024. EIP tracks 2 public exploits from researchers including Metasploit, Unknown, juan vazquez, including a Metasploit module exploits/windows/browser/adobe_flash_avm2.

AI-analyzed exploit summary This Metasploit module exploits CVE-2014-0497, an integer underflow vulnerability in Adobe Flash Player before 12.0.0.43, leading to remote code execution via a crafted SWF file. It targets multiple Flash Player versions on Windows systems.

Description

Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/33212

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-0497, an integer underflow vulnerability in Adobe Flash Player before 12.0.0.43, leading to remote code execution via a crafted SWF file. It targets multiple Flash Player versions on Windows systems.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe Flash Player < 12.0.0.43

No auth needed

Prerequisites: Victim must visit a malicious webpage hosting the exploit · Adobe Flash Player ActiveX component must be installed and vulnerable

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Unknown, juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/adobe_flash_avm2.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-0497, an integer underflow vulnerability in Adobe Flash Player's AVM2 instructions, leading to remote code execution. It delivers a malicious SWF file via a crafted HTML page targeting vulnerable Flash ActiveX versions.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe Flash Player before 12.0.0.43

No auth needed

Prerequisites: Victim must visit a malicious webpage · Vulnerable Adobe Flash Player version installed

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0497

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/33212

Broken Link, Patch, Vendor Advisory x_refsource_confirm

http://helpx.adobe.com/security/products/flash-player/apsb14-04.html

Release Notes x_refsource_confirm

http://googlechromereleases.blogspot.com/2014/02/stable-channel-update.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00006.html

Third Party Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2014-0137.html

Broken Link vdb-entry x_refsource_osvdb

http://www.osvdb.org/102849

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/65327

Broken Link, Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/56799

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1029715

Broken Link, Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/56737

Broken Link, Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/56437

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00001.html

Broken Link, Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/56780

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00000.html

Broken Link, Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/56839

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/90884

Scores

CVSS v3 9.8

EPSS 0.9316

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2024-09-17

VulnCheck KEV 2015-07-21

InTheWild.io 2024-09-17

ENISA EUVD EUVD-2014-0528

CWE

CWE-191

Status published

Products (14)

adobe/flash_player < 11.2.202.336

google/chrome < 32.0.1700.107

opensuse/opensuse 11.4

opensuse/opensuse 12.3

opensuse/opensuse 13.1

redhat/enterprise_linux_desktop 5.0

redhat/enterprise_linux_desktop 6.0

redhat/enterprise_linux_eus 6.5

redhat/enterprise_linux_server 5.0

redhat/enterprise_linux_server 6.0

... and 4 more

Published Feb 05, 2014

KEV Added Sep 17, 2024

Tracked Since Feb 18, 2026