CVE-2018-15982

HIGH KEV RANSOMWARE

Adobe Flash Player < 31.0.0.153 - Use-After-Free

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-15982 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 15, 2022, with confirmed use in ransomware campaigns. EIP tracks 9 public exploits from researchers including smgorelik, Ridter, scanfsec.

AI-analyzed exploit summary This exploit targets CVE-2018-15982, a command injection vulnerability in Adobe ColdFusion. The PoC likely contains a script or binary that demonstrates remote code execution by leveraging improper input validation in the software.

Description

Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution.

Exploits (9)

exploitdb WORKING POC
by smgorelik · textlocalwindows
https://www.exploit-db.com/exploits/46051

This exploit targets CVE-2018-15982, a command injection vulnerability in Adobe ColdFusion. The PoC likely contains a script or binary that demonstrates remote code execution by leveraging improper input validation in the software.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion (versions affected by CVE-2018-15982)
No auth needed
Prerequisites: Network access to vulnerable ColdFusion server · Knowledge of target endpoint or parameter for injection
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 181 stars
by Ridter · client-side
https://github.com/Ridter/CVE-2018-15982_EXP

This exploit targets CVE-2018-15982, a deserialization vulnerability in Adobe ColdFusion. The PoC includes a crafted payload that, when deserialized, can lead to remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion (versions prior to 2018 Update 6, 2016 Update 10)
No auth needed
Prerequisites: Network access to the target ColdFusion server · Vulnerable version of Adobe ColdFusion
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 29 stars
by scanfsec · client-side
https://github.com/scanfsec/CVE-2018-15982

This repository contains an Aggressor Script for CobaltStrike to exploit CVE-2018-15982, a vulnerability in Adobe Flash Player. The exploit is designed to launch a drive-by attack via Internet Explorer, delivering a shell within the IE sandbox.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Flash Player <= 31.0.0.153
No auth needed
Prerequisites: Outdated Adobe Flash Player · Internet Explorer · CobaltStrike environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 14 stars
by Ormicron · poc
https://github.com/Ormicron/CVE-2018-15982_PoC

The repository contains only a README with a brief description and a GIF link, lacking any actual exploit code or technical details. It references a PoC from Any.Run but does not provide executable content.

Classification
Stub 30%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 12 stars
by jas502n · client-side
https://github.com/jas502n/CVE-2018-15982_EXP_IE

This is a Python-based exploit for CVE-2018-15982, targeting Adobe Flash Player. The exploit leverages a use-after-free vulnerability to achieve remote code execution (RCE) via a crafted SWF file embedded in the payload.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Adobe Flash Player (versions prior to 31.0.0.153)
No auth needed
Prerequisites: Victim must visit a malicious webpage or open a malicious SWF file · Adobe Flash Player must be installed and vulnerable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 11 stars
by kphongagsorn · client-side
https://github.com/kphongagsorn/adobe-flash-cve2018-15982

This repository contains a Python script to generate a malicious SWF file exploiting CVE-2018-15982, a use-after-free vulnerability in Adobe Flash. The exploit allows arbitrary code execution by embedding shellcode and a user-supplied command in the SWF file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Flash Player 31.0.0.153, 29.0.0.140
No auth needed
Prerequisites: Target must have vulnerable Adobe Flash Player installed · Target must open the malicious SWF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by SyFi · poc
https://github.com/SyFi/CVE-2018-15982

This repository contains a Flash (.swf) exploit file for CVE-2018-15982, which is a Use-After-Free (UAF) vulnerability in Adobe Flash. The exploit is accompanied by a README with references to a writeup and demonstration video.

Classification
Working Poc 80%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Flash Player (versions affected by CVE-2018-15982)
No auth needed
Prerequisites: Victim must open the malicious .swf file in a vulnerable version of Adobe Flash Player
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab SUSPICIOUS
by 0x1 · poc
https://gitlab.com/0x1/CVE-2018-15982

The repository lacks actual exploit code and instead points to external resources (Arabic writeup, Twitter, YouTube) without providing technical details or the referenced 'p0c.swf' file. This is characteristic of a social engineering lure.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Adobe Flash Player (version unspecified)
No auth needed
Prerequisites: none specified
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by FlatL1neAPT · poc
https://github.com/FlatL1neAPT/CVE-2018-15982

This repository contains a weaponized ActiveX object exploit for CVE-2018-15982, a vulnerability in Adobe Flash Player. The payloads are embedded in Class 6 and 7 of the provided Flash sources, indicating a fully functional exploit.

Classification
Working Poc 80%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Flash Player
No auth needed
Prerequisites: Victim must have vulnerable Adobe Flash Player installed · Victim must visit a malicious webpage or open a malicious file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3795
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46051/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/106116

Scores

CVSS v3 7.8
EPSS 0.9361
EPSS Percentile 99.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-02-15
VulnCheck KEV 2018-11-29
InTheWild.io 2018-11-29
ENISA EUVD EUVD-2018-7838
Ransomware Use Confirmed
CWE
CWE-416
Status published
Products (5)
adobe/flash_player < 31.0.0.153 (4 CPE variants)
adobe/flash_player_installer < 31.0.0.108
redhat/enterprise_linux_desktop 6.0
redhat/enterprise_linux_server 6.0
redhat/enterprise_linux_workstation 6.0
Published Jan 18, 2019
KEV Added Feb 15, 2022
Tracked Since Feb 18, 2026