CVE-2015-7645

CVE-2015-7645 is a high-severity vulnerability in Adobe Flash Player with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-03).

Key facts

Description

Adobe Flash Player 18.x through 18.0.0.252 and 19.x through 19.0.0.207 on Windows and OS X and 11.x through 11.2.202.535 on Linux allows remote attackers to execute arbitrary code via a crafted SWF file, as exploited in the wild in October 2015.

CVE-2015-7645: Adobe Flash Player Type Confusion RCE Exploited in Pawn Storm Campaign

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2015-7645 is a critical remote code execution vulnerability in Adobe Flash Player. A crafted SWF file can trigger a type confusion condition in the IExternalizable.writeExternal interface, allowing an attacker to execute arbitrary code in the context of the affected process. The vulnerability was exploited in the wild during October 2015 as part of the Pawn Storm campaign, a long-running cyber-espionage operation targeting government and military organizations.

Background

Adobe Flash Player was a widely deployed browser plugin and standalone runtime for executing rich multimedia content delivered via SWF files. Despite its prevalence, Flash had a long history of security vulnerabilities due to its complex codebase and extensive attack surface. The Pawn Storm campaign (also known as APT28) leveraged this vulnerability in targeted spear-phishing attacks, embedding malicious SWF content in documents or web pages to compromise high-value targets.

Root Cause

The underlying flaw is a type confusion vulnerability. In the source data, the Packet Storm reference identifies the issue as occurring in the IExternalizable.writeExternal path. Type confusion arises when a program incorrectly interprets an object type, leading to unsafe memory operations. In this case, a crafted SWF can manipulate internal type checks within the Flash runtime, causing the player to treat one object type as another and subsequently access or overwrite memory outside the intended bounds. The specific CWE identifier is not catalogued in the available source data, though the mechanism aligns with type confusion behavior.

Impact

This vulnerability allows remote attackers to execute arbitrary code. The CVSS v2 score is 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C), reflecting a network-exploitable, medium-complexity attack that requires no authentication and yields complete compromise of confidentiality, integrity, and availability. The CVSS v3 score is 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), which reflects a local attack vector after user interaction, though the practical impact remains full system compromise under the attacker’s control. The impact score is 10 under CVSS v2, indicating the highest possible severity for affected systems.

Exploitation Walkthrough

This section is provided for defensive awareness only. No weaponized exploit code is included.

The attack typically follows this flow:

  1. Delivery: The attacker delivers a malicious SWF file embedded in a phishing email, compromised website, or malicious document.
  2. User interaction: The victim opens the file or visits the page, causing Flash Player to load and parse the SWF.
  3. Type confusion trigger: The SWF manipulates the IExternalizable.writeExternal code path to confuse an internal object type, causing Flash to access an attacker-controlled memory region.
  4. Code execution: Through careful memory layout manipulation, the attacker redirects execution to a payload that runs with the privileges of the Flash process.

Ethics caveat: This description is intentionally generic and excludes working exploit primitives. It is intended solely to help defenders understand the attack surface and build appropriate detection and prevention controls.

Affected and Patched Versions

The source data identifies the following affected versions:

  • Adobe Flash Player 18.x through 18.0.0.252 on Windows and OS X
  • Adobe Flash Player 19.x through 19.0.0.207 on Windows and OS X
  • Adobe Flash Player 11.x through 11.2.202.535 on Linux

The exact patched version numbers are not specified in the available source data; Adobe addressed this flaw in security bulletin APSB15-27. Administrators should consult the official Adobe advisory for definitive patch levels.

Remediation

  1. Upgrade immediately: Apply the patched versions released in Adobe APSB15-27.
  2. Uninstall or disable Flash: Adobe Flash Player reached end-of-life in December 2020 and no longer receives security updates. Organizations should remove it from all systems unless absolutely required for legacy applications, in which case strict network isolation is mandatory.
  3. Browser restrictions: Disable Flash in all browsers and block SWF execution via Group Policy or enterprise management tools.
  4. Application whitelisting: Prevent unauthorized SWF files from executing through application control policies.
  5. Network segmentation: Isolate legacy systems that must retain Flash to limit lateral movement if compromise occurs.

Detection

  • Network: Monitor for unexpected SWF downloads from untrusted domains, particularly in email attachments or web traffic.
  • Endpoint: Detect Flash Player processes spawning suspicious child processes or making unexpected network connections.
  • File: Hunt for SWF files with unusual entropy or structural anomalies that may indicate malicious crafting.
  • Memory: On forensics engagements, look for signs of type confusion exploitation in Flash process memory dumps, such as corrupted object vtables or unexpected JIT-sprayed regions.

Assessment

CVE-2015-7645 carries an EPSS score of 0.68396 and sits at the 99.247th percentile, indicating a very high probability of active exploitation in the wild. It is also listed in the CISA Known Exploited Vulnerabilities (KEV) catalog with an added date of 2022-03-03, confirming its significance to threat actors.

Key lessons:

  1. Legacy software is persistent risk: Flash remained a target years after its peak usage because it was installed on millions of endpoints and rarely uninstalled.
  2. EPSS and KEV data should drive prioritization: Even with a CVSS v3 score of 7.8, the extremely high EPSS and confirmed KEV status mean this vulnerability should be treated as critical for any environment where Flash still exists.

References

Frequently asked questions

What is CVE-2015-7645?
Adobe Flash Player 18.x through 18.0.0.252 and 19.x through 19.0.0.207 on Windows and OS X and 11.x through 11.2.202.535 on Linux allows remote attackers to execute arbitrary code via a crafted SWF file, as exploited in the wild in October 2015.
How severe is CVE-2015-7645?
CVE-2015-7645 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2015-7645 being actively exploited?
Yes. CVE-2015-7645 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2015-7645?
CVE-2015-7645 primarily affects Adobe Flash Player. In total, 19 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2015-7645?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2015-7645 have an EU (EUVD) identifier?
Yes. CVE-2015-7645 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2015-7548. It is also flagged as exploited in the EUVD (since 2022-03-03).
When was CVE-2015-7645 published?
CVE-2015-7645 was published on 2015-10-15 and last updated on 2026-06-17.

References

Affected products (19)

More vulnerabilities in Adobe Flash Player

All CVEs affecting Adobe Flash Player →