CVE-2015-5122

CRITICAL KEV RANSOMWARE

Adobe Flash opaqueBackground Use After Free

Title source: metasploit

Exploitation Summary

CVE-2015-5122 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 13, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including Metasploit, Unknown, juan vazquez, sinn3r, including a Metasploit module exploits/multi/browser/adobe_flash_opaque_background_uaf.

AI-analyzed exploit summary This Metasploit module exploits a use-after-free vulnerability in Adobe Flash Player (CVE-2015-5122) by manipulating the opaqueBackground property of the flash.display.DisplayObject class. It delivers a malicious SWF file via a browser exploit server to achieve remote code execution on vulnerable Windows systems.

Description

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/37599

View Code ZIP pw:eip

This Metasploit module exploits a use-after-free vulnerability in Adobe Flash Player (CVE-2015-5122) by manipulating the opaqueBackground property of the flash.display.DisplayObject class. It delivers a malicious SWF file via a browser exploit server to achieve remote code execution on vulnerable Windows systems.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe Flash Player versions 18.0.0.203 and below

No auth needed

Prerequisites: Vulnerable Adobe Flash Player version · Target system running Windows 7 or 8.1 · Browser with Flash plugin enabled

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

client-side

https://github.com/Xattam1/Adobe-Flash-Exploits_17-18

View Code ZIP pw:eip

This repository contains a functional Python3 script that hosts a web server to exploit Adobe Flash vulnerabilities (CVE-2015-3090, CVE-2015-3105, CVE-2015-5119, and CVE-2015-5122) by serving malicious SWF files and executing a base64-encoded payload. The script supports both direct HTML and XSS-based attack paths.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe Flash (versions 17.0.0.169, 17.0.0.188, 18.0.0.194, 18.0.0.203)

No auth needed

Prerequisites: Victim must visit the attacker-controlled web server · Victim must have a vulnerable version of Adobe Flash installed · Attacker must generate a compatible payload (e.g., using msfvenom)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC GREAT

by Unknown, juan vazquez, sinn3r · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb

View Code ZIP pw:eip

This Metasploit module exploits a use-after-free vulnerability in Adobe Flash Player (CVE-2015-5122) by manipulating the `opaqueBackground` property of the `flash.display.DisplayObject` class. It delivers a malicious SWF file embedded in an HTML page to achieve remote code execution on vulnerable Windows systems.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe Flash Player versions 18.0.0.194 to 18.0.0.203

No auth needed

Prerequisites: Vulnerable Adobe Flash Player version · Target must visit a malicious webpage hosting the exploit

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (22)

Core 22

Core References

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1032890

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00028.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=144050155601375&w=2

Third Party Advisory x_refsource_confirm

https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04952467

Broken Link, Third Party Advisory x_refsource_misc

https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/ncas/alerts/TA15-195A

Broken Link, Vendor Advisory x_refsource_confirm

https://helpx.adobe.com/security/products/flash-player/apsb15-18.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00029.html

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201508-01

Third Party Advisory x_refsource_misc

http://www.rapid7.com/db/modules/exploit/multi/browser/adobe_flash_opaque_background_uaf

Broken Link, Third Party Advisory vendor-advisory x_refsource_hp

https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04796784

Third Party Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-1235.html

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/338736

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/37599/

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/75712

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/132663/Adobe-Flash-opaqueBackground-Use-After-Free.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00032.html

Broken Link, Third Party Advisory x_refsource_misc

https://perception-point.io/2018/04/11/breaking-cfi-cve-2015-5122-coop/

Broken Link, Vendor Advisory x_refsource_confirm

https://helpx.adobe.com/security/products/flash-player/apsa15-04.html

Broken Link, Third Party Advisory x_refsource_misc

https://perception-point.io/new/breaking-cfi.php

Issue Tracking

https://github.com/cisagov/vulnrichment/issues/196

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-5122

Scores

CVSS v3 9.8

EPSS 0.9270

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-04-13

VulnCheck KEV 2015-07-05

InTheWild.io 2015-07-05

ENISA EUVD EUVD-2015-5137

Ransomware Use Confirmed

CWE

CWE-416

Status published

Products (15)

adobe/flash_player 11.0 - 11.2.202.481

adobe/flash_player 13.0 - 13.0.0.302

adobe/flash_player 18.0 - 18.0.0.203 (3 CPE variants)

adobe/flash_player_desktop_runtime 18.0 - 18.0.0.203

opensuse/evergreen 11.4

redhat/enterprise_linux_desktop 5.0

redhat/enterprise_linux_desktop 6.0

redhat/enterprise_linux_server 5.0

redhat/enterprise_linux_server 6.0

redhat/enterprise_linux_server_eus 6.6

... and 5 more

Published Jul 14, 2015

KEV Added Apr 13, 2022

Tracked Since Feb 18, 2026