Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Adobe Flash Player arbitrary code execution in 21.0.0.226 and earlier

IdentifiersCVE-2016-4117CWE-94

CVE-2016-4117 is an Adobe Flash Player vulnerability affecting version 21.0.0.226 and earlier. The provided content states that the flaw allows remote attackers to execute arbitrary code via unspecified vectors and that it was exploited in the wild in May 2016 as a zero-day. The supporting context further shows it was commonly delivered through crafted Microsoft Word documents with embedded Flash objects and via exploit-kit landing pages that selected the exploit based on the victim’s installed Flash version. Specific vulnerable functions or root-cause details are not provided in the supplied content.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution on the target system. In observed campaigns, this enabled delivery and execution of follow-on malware payloads, including first-stage loaders and reconnaissance implants. The content also notes actor reporting that associated exploitation could be used to allow an executable to gain escalated privileges, but the primary verified impact in the supplied description is remote code execution in the context of the vulnerable application/user.

Mitigation

If you can’t patch tonight, do this now.

If patching is not immediately possible, reduce exposure by disabling or removing Adobe Flash Player, blocking Flash execution in browsers and document-handling contexts, and restricting delivery vectors such as malicious Office attachments and exploit-kit traffic. Additional mitigations supported by the context include filtering spearphishing attachments, limiting execution of embedded ActiveX/Flash content in Office documents, and using layered detection for exploit-kit and post-exploitation payload activity.

Remediation

Patch, then assume compromise.

Upgrade Adobe Flash Player to a version newer than 21.0.0.226 that contains Adobe’s fix for CVE-2016-4117. Because the content explicitly notes in-the-wild exploitation, affected systems should be patched immediately. Organizations should also identify and remediate vulnerable embedded Flash components in applications such as Microsoft Office workflows that may invoke Flash content.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AdobeFlash Playerapplication
OpensuseEvergreenoperating_system
OpensuseOpensuseoperating_system
Red HatEnterprise Linux Desktopoperating_system
Red HatEnterprise Linux Serveroperating_system
Red HatEnterprise Linux Server From Rhuioperating_system
Red HatEnterprise Linux Workstationoperating_system
SuseLinux Enterprise Desktopoperating_system
SuseLinux Enterprise Workstation Extensionoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
techtargetNews
Jun 20, 2024
What is zero-day vulnerability? | Definition from TechTarget

A zero-day vulnerability in Adobe Flash Player exploited in 2016.

Read more
proofpoint threat insight blogNews
Oct 19, 2017
APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed | Proofpoint US

An Adobe Flash vulnerability previously exploited by the DealersChoice framework via crafted Microsoft Word documents.

Read more
securelistNews
Aug 8, 2017
APT Trends report Q2 2017

A previously used zero-day attributed in this report to BlackOasis historical activity (details not provided in the content).

Read more
proofpoint threat insight blogNews
Jun 1, 2017
Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions | Proofpoint US

A vulnerability previously supported by Microsoft Word Intruder as part of its exploit document builder toolkit.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence6

Every observed campaign linking this CVE to a named adversary.

Associated malware13

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2016-4117
NVD
nvd.nist.gov/vuln/detail/CVE-2016-4117
MITRE CWE · CWE-94
cwe.mitre.org
Third Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html
Third Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html
Third Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-05/msg00046.html
Third Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-05/msg00047.html
Third Party Advisory
rhn.redhat.com/errata/RHSA-2016-1079.html
Third Party Advisory
security.gentoo.org/glsa/201606-08
Third Party Advisory
exploit-db.com/exploits/46339
Issue Tracking
github.com/cisagov/vulnrichment/issues/196
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4117