CVE-2014-0556

EXPLOITED RANSOMWARE

Adobe Flash Player < 13.0.0.244 and 14.x-15.x < 15.0.0.152 - Remote Code Execution via Heap-Based Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2014-0556 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 2 public exploits from researchers including Metasploit, Chris Evans, Nicolas Joly, hdarwin, juan vazquez, including a Metasploit module exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.

AI-analyzed exploit summary This Metasploit module exploits an integer overflow in Adobe Flash Player's copyPixelsToByteArray method to achieve remote code execution. It delivers a malicious SWF file via a browser exploit server, targeting Windows 7 SP1 with IE 8-11 and Flash versions up to 14.0.0.176.

Description

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0559.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/36808

This Metasploit module exploits an integer overflow in Adobe Flash Player's copyPixelsToByteArray method to achieve remote code execution. It delivers a malicious SWF file via a browser exploit server, targeting Windows 7 SP1 with IE 8-11 and Flash versions up to 14.0.0.176.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Flash Player <= 14.0.0.176
No auth needed
Prerequisites: Target must visit a malicious webpage · Target must have vulnerable Flash Player version · Target must be using Internet Explorer 8-11 on Windows 7 SP1
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by Chris Evans, Nicolas Joly, hdarwin, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb

This Metasploit module exploits an integer overflow in Adobe Flash Player's `copyPixelsToByteArray` method, allowing arbitrary code execution via a crafted SWF file. It targets Windows systems with Flash versions up to 14.0.0.179.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Flash Player <= 14.0.0.179
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Flash Player must be enabled in the browser
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (14)

Core 14
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/111110
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201409-05.xml
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/95826
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61089
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/69696
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/36808/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1030822

Scores

EPSS 0.8732
EPSS Percentile 99.5%

Details

VulnCheck KEV 2014-10-22
Ransomware Use Confirmed
CWE
CWE-119
Status published
Products (50)
adobe/adobe_air 13.0.0.83
adobe/adobe_air 13.0.0.111
adobe/adobe_air 14.0.0.110
adobe/adobe_air 14.0.0.137
adobe/adobe_air < 14.0.0.179
adobe/adobe_air_sdk 13.0.0.83
adobe/adobe_air_sdk 13.0.0.111
adobe/adobe_air_sdk 14.0.0.110
adobe/adobe_air_sdk 14.0.0.137
adobe/adobe_air_sdk < 14.0.0.178
... and 40 more
Published Sep 10, 2014
Tracked Since Feb 18, 2026