CVE-2015-0311

CRITICAL KEV RANSOMWARE

Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2015-0311 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 13, 2022, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including Metasploit, jr64, d0now, including a Metasploit module exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.

AI-analyzed exploit summary This Metasploit module exploits a use-after-free vulnerability in Adobe Flash Player's ByteArray::UncompressViaZlibVariant method. It delivers a malicious SWF file to trigger the vulnerability and execute arbitrary code via a PowerShell payload.

Description

Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in January 2015.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/36360

This Metasploit module exploits a use-after-free vulnerability in Adobe Flash Player's ByteArray::UncompressViaZlibVariant method. It delivers a malicious SWF file to trigger the vulnerability and execute arbitrary code via a PowerShell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Flash Player 16.0.0.287 and earlier
No auth needed
Prerequisites: Target must be using Windows 7 SP1 with Internet Explorer 8-11 and vulnerable Flash version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by jr64 · local
https://github.com/jr64/CVE-2015-0311

This repository is a reupload of a README file describing an old Linux/Firefox port of an exploit for CVE-2015-0311, a use-after-free vulnerability in Adobe Flash Player. The actual exploit code is not present in the provided files.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Adobe Flash Player (version not specified)
No auth needed
Prerequisites: Vulnerable version of Adobe Flash Player · Target system running Linux with Firefox
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by Unknown, hdarwin, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb

This Metasploit module exploits a use-after-free vulnerability in Adobe Flash Player's ByteArray::UncompressViaZlibVariant method. It delivers a malicious SWF file to trigger the vulnerability and achieve remote code execution on vulnerable systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Flash Player versions 16.0.0.287 and earlier (Windows), 11.2.202.438 and earlier (Linux)
No auth needed
Prerequisites: Vulnerable version of Adobe Flash Player · Target must visit a malicious webpage or be redirected to it
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (16)

Core 16
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201502-02.xml
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62660
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62740
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62432
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62650
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00031.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/72283
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62543
Patch, Vendor Advisory x_refsource_confirm
https://technet.microsoft.com/library/security/2755801
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00027.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1031597

Scores

CVSS v3 9.8
EPSS 0.9255
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-04-13
VulnCheck KEV 2015-01-20
InTheWild.io 2015-01-20
ENISA EUVD EUVD-2015-0324
Ransomware Use Confirmed
Status published
Products (7)
adobe/flash_player < 11.2.202.438
microsoft/edge
microsoft/internet_explorer 10
microsoft/internet_explorer 11
suse/linux_enterprise_desktop 11 sp3
suse/linux_enterprise_desktop 12
suse/linux_enterprise_workstation_extension 12
Published Jan 23, 2015
KEV Added Apr 13, 2022
Tracked Since Feb 18, 2026