Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Adobe Flash Player Remote Code Execution Vulnerability

IdentifiersCVE-2016-4117CWE-94

CVE-2016-4117 is a vulnerability in Adobe Flash Player affecting version 21.0.0.226 and earlier. The provided content states that it allows remote attackers to execute arbitrary code via unspecified vectors and that it was exploited in the wild in May 2016 as a zero-day. Multiple reporting contexts in the supplied material show it being used in exploit kits and targeted intrusion activity, including malicious Flash content delivered through malvertising, phishing documents, and actor tooling such as DealersChoice/Sedkit. The specific vulnerable function or root-cause class is not provided in the supplied content.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution on the victim system in the context of the user running the vulnerable Flash Player. In observed campaigns, this enabled delivery and execution of follow-on malware, including downloaders and espionage tooling, and could serve as an initial access vector for broader compromise. The content also associates exploitation with subsequent elevated execution in some actor reporting, but the primary verified impact from the supplied description is remote code execution.

Mitigation

If you can’t patch tonight, do this now.

Where immediate patching is not possible, disable or uninstall Adobe Flash Player, block Flash content in browsers and Office documents, restrict execution of embedded active content delivered through phishing or malvertising, and reduce exposure by using application control and browser/plugin hardening. Network and endpoint controls that detect exploit-kit traffic, malicious document delivery, and suspicious child-process execution from browser or document contexts can reduce risk, but they are compensating controls rather than a substitute for patching or removal.

Remediation

Patch, then assume compromise.

Upgrade Adobe Flash Player to a version newer than 21.0.0.226 that contains Adobe's fix for CVE-2016-4117. Because the vulnerability was exploited in the wild, remediation should include urgent patching of all affected endpoints and removal or replacement of legacy Flash installations where still present.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AdobeFlash Playerapplication
OpensuseEvergreenoperating_system
OpensuseOpensuseoperating_system
Red HatEnterprise Linux Desktopoperating_system
Red HatEnterprise Linux Serveroperating_system
Red HatEnterprise Linux Server From Rhuioperating_system
Red HatEnterprise Linux Workstationoperating_system
SuseLinux Enterprise Desktopoperating_system
SuseLinux Enterprise Workstation Extensionoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
techtargetNews
Jun 20, 2024
What is zero-day vulnerability? | Definition from TechTarget

A zero-day vulnerability in Adobe Flash Player exploited in 2016.

Read more
securelistNews
Aug 8, 2017
APT Trends report Q2 2017

A previously used zero-day attributed in this report to BlackOasis historical activity (details not provided in the content).

Read more
eset welivesecurity blogNews
Dec 6, 2016
Readers of popular websites targeted by stealthy Stegano exploit kit hiding in pixels of malicious ads

An Adobe Flash Player vulnerability used by the Stegano exploit kit to compromise victims, selected based on the installed Flash version.

Read more
mitre attackNews
Jan 24, 2026
Exploitation for Privilege Escalation, Technique T1068 - Enterprise | MITRE ATT&CK®

Privilege escalation vulnerability exploited by Wingbird to elevate an executable's privileges.

Read more
+7 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence6

Every observed campaign linking this CVE to a named adversary.

Associated malware10

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2016-4117
NVD
nvd.nist.gov/vuln/detail/CVE-2016-4117
MITRE CWE · CWE-94
cwe.mitre.org
Third Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html
Third Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html
Third Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-05/msg00046.html
Third Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-05/msg00047.html
Third Party Advisory
rhn.redhat.com/errata/RHSA-2016-1079.html
Third Party Advisory
security.gentoo.org/glsa/201606-08
Third Party Advisory
exploit-db.com/exploits/46339
Issue Tracking
github.com/cisagov/vulnrichment/issues/196
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4117