LiveActive security incident?Get immediate response
CVE Record

CVE-2010-10015: AOL <= 9.5 Phobos.Playlist 'Import()' Stack-Based Buffer Overflow

AOL versions up to and including 9.5 includes an ActiveX control (Phobos.dll) that exposes a method called Import() via the Phobos.Playlist COM object. This method is vulnerable to a stack-based buffer overflow when provided with an excessively long string argument. Exploitation allows remote attackers to execute arbitrary code in the context of the user, but only when the malicious HTML file is opened locally, due to the control not being marked safe for scripting or initialization. AOL remains an active and supported brand offering services like AOL Mail and AOL Desktop Gold, but the legacy AOL 9.5 desktop software—specifically the version containing the vulnerable Phobos.dll ActiveX control—is long discontinued and no longer maintained.

HighCVSS 8.4Not KEV-listedUpdated
Glexia's Takehigh

Analyst readout for executives and security teams

Plain-English summary

This is a legacy AOL desktop software flaw in an ActiveX component. If an endpoint still has AOL 9.5-era Phobos.dll installed, a user opening a malicious local HTML file could allow code execution as that user. It is serious for exposed legacy endpoints, but likely uncommon in modern environments.

Executive priority

Prioritize as a legacy endpoint cleanup issue, not a broad internet emergency. Act quickly if regulated, kiosk, shared, or high-risk user systems still carry old AOL components.

Technical view

The vulnerable Phobos.Playlist COM object exposes Import(), which can trigger a stack-based buffer overflow with an overly long string. Sources indicate exploitation is constrained because the control is not marked safe for scripting or initialization, requiring the malicious HTML to be opened locally. Public exploit references exist.

Likely exposure

Most exposure is expected on older Windows endpoints retaining AOL 9.5 or the Phobos.dll ActiveX control. The provided sources do not show AOL Mail or AOL Desktop Gold as affected.

Exploitation context

The source bundle includes public exploit references and third-party detection advisories. It does not indicate CISA KEV listing or verified active exploitation. User interaction and local file opening are required based on the CVSS vector and description.

Researcher notes

The CVE data and references support the buffer overflow and public exploit availability. Product lifecycle and patch status are less complete; the bundle says AOL 9.5 is discontinued and provides no vendor remediation.

Mitigation direction

  • Inventory endpoints for legacy AOL 9.5 and Phobos.dll.
  • Remove or retire unsupported AOL 9.5-era desktop software.
  • Disable or remove the vulnerable ActiveX control where found.
  • Block risky local HTML attachment handling through endpoint policy.
  • Check vendor guidance; no official patch is named in the provided sources.
  • Enable relevant IPS or endpoint detections where available.

Validation and detection

  • Confirm whether any endpoint has AOL 9.5-era components installed.
  • Check software inventory for Phobos.dll and Phobos.Playlist registration.
  • Review email and web controls for local HTML file execution risk.
  • Verify Broadcom or FortiGuard signatures are deployed if those products are used.
  • Document exceptions for any legacy dependency that cannot be removed.
Prepared
Confidence
medium
Sources
9

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-121: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2010-10015 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.4 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
10Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.4CVSS 4.0HighCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NVulnCheck

Vulnerability scoring details

Base CVSS 4.0 score

8.4High
CVSS 4.0 vector shape for CVE-2010-10015Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
AOLAOL0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-121 · source CWE mapping

Stack-based Buffer Overflow

Stack-based Buffer Overflow represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.