CVE-2015-5119

CRITICAL KEV RANSOMWARE

Adobe Flash Player ByteArray Use After Free

Title source: metasploit

Exploitation Summary

CVE-2015-5119 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022, with confirmed use in ransomware campaigns. EIP tracks 7 public exploits from researchers including Metasploit, OpenSISE, CiscoCXSecurity, including a Metasploit module exploits/multi/browser/adobe_flash_hacking_team_uaf.

AI-analyzed exploit summary This Metasploit module exploits a use-after-free vulnerability in Adobe Flash Player (CVE-2015-5119) by delivering a malicious SWF file via a browser exploit server. It targets Windows and Linux systems with specific Flash versions and achieves remote code execution.

Description

Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

Exploits (7)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/37523

View Code ZIP pw:eip

This Metasploit module exploits a use-after-free vulnerability in Adobe Flash Player (CVE-2015-5119) by delivering a malicious SWF file via a browser exploit server. It targets Windows and Linux systems with specific Flash versions and achieves remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe Flash Player <= 18.0.0.194 (Windows), <= 11.2.202.468 (Linux)

No auth needed

Prerequisites: Victim must visit a malicious URL · Target must have vulnerable Flash Player version

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github STUB 31 stars

by OpenSISE · cpoc

https://github.com/OpenSISE/CVE_PoC_Collect/tree/master/RCE/flash/CVE-2015-5119

View Code ZIP pw:eip

The repository contains only a README.md file with a title and no functional exploit code or technical details. It appears to be a placeholder without any meaningful content.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WRITEUP 13 stars

by CiscoCXSecurity · client-side

https://github.com/CiscoCXSecurity/CVE-2015-5119_walkthrough

View Code ZIP pw:eip

This repository contains a walkthrough for CVE-2015-5119, a vulnerability in Cisco CX. The README.md file does not include exploit code but provides documentation or steps related to the vulnerability.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Cisco CX (version not specified)

No auth needed

Prerequisites: Access to the target system or network

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 12 stars

by jvazquez-r7 · poc

https://github.com/jvazquez-r7/CVE-2015-5119

View Code ZIP pw:eip

This is a legitimate SWFObject library file, which is a JavaScript library used to embed Adobe Flash content. It is not an exploit itself but is part of the proof-of-concept for CVE-2015-5119, which involves a vulnerability in Adobe Flash Player.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe Flash Player

No auth needed

Prerequisites: Victim must visit a malicious webpage hosting the exploit

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by dangokyo · poc

https://github.com/dangokyo/CVE-2015-5119

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2015-5119, a COOP (Cross-Origin Object Protocol) vulnerability. The exploit leverages SWFObject to manipulate Flash objects, potentially bypassing same-origin policies.

Classification

Working Poc 80%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Adobe Flash Player

No auth needed

Prerequisites: Victim must have Adobe Flash Player installed · Victim must visit a malicious webpage hosting the exploit

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

client-side

https://github.com/Xattam1/Adobe-Flash-Exploits_17-18

View Code ZIP pw:eip

This repository contains a functional Python3 script that hosts a web server to exploit Adobe Flash vulnerabilities (CVE-2015-3090, CVE-2015-3105, CVE-2015-5119, CVE-2015-5122) by serving malicious SWF files and executing a base64-encoded payload. The exploit supports both direct HTML and XSS-based attack paths.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe Flash (versions 17.0.0.169, 17.0.0.188, 18.0.0.194, 18.0.0.203)

No auth needed

Prerequisites: Victim must visit the attacker-controlled web server · Adobe Flash must be installed and vulnerable · Base64-encoded payload (e.g., Meterpreter) must be generated

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC GREAT

by Unknown, juan vazquez, sinn3r · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb

View Code ZIP pw:eip

This Metasploit module exploits a use-after-free vulnerability in Adobe Flash Player (CVE-2015-5119) by delivering a malicious SWF file via a browser exploit server. It achieves remote code execution by leveraging a crafted ByteArray object to corrupt memory and execute arbitrary payloads.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe Flash Player <= 18.0.0.194 (Windows), <= 11.2.202.468 (Linux)

No auth needed

Prerequisites: Victim must visit a malicious webpage or be redirected to it · Adobe Flash Player must be installed and vulnerable

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (18)

Core 18

Core References

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1032809

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/75568

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00015.html

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/ncas/alerts/TA15-195A

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00017.html

Third Party Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-1214.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201507-13

Third Party Advisory x_refsource_misc

http://www.rapid7.com/db/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf

Broken Link, Patch, Vendor Advisory x_refsource_confirm

https://helpx.adobe.com/security/products/flash-player/apsa15-03.html

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/561288

Broken Link, Patch, Vendor Advisory x_refsource_confirm

https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://packetstormsecurity.com/files/132600/Adobe-Flash-Player-ByteArray-Use-After-Free.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00016.html

Broken Link x_refsource_misc

http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/

Broken Link x_refsource_misc

http://twitter.com/w3bd3vil/statuses/618168863708962816

Issue Tracking

https://github.com/cisagov/vulnrichment/issues/196

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-5119

Scores

CVSS v3 9.8

EPSS 0.9321

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-03

VulnCheck KEV 2015-07-05

InTheWild.io 2015-07-05

ENISA EUVD EUVD-2015-5134

Ransomware Use Confirmed

CWE

CWE-416

Status published

Products (17)

adobe/flash_player 13.0.0.182 - 13.0.0296

opensuse/evergreen 11.4

opensuse/opensuse 13.1

opensuse/opensuse 13.2

redhat/enterprise_linux_desktop 5.0

redhat/enterprise_linux_desktop 6.0

redhat/enterprise_linux_eus 6.6

redhat/enterprise_linux_server 5.0

redhat/enterprise_linux_server 6.0

redhat/enterprise_linux_server_aus 6.6

... and 7 more

Published Jul 08, 2015

KEV Added Mar 03, 2022

Tracked Since Feb 18, 2026