AOL versions up to and including 9.5 includes an ActiveX control (Phobos.dll) that exposes a method called Import() via the Phobos.Playlist COM object. This method is vulnerable to a stack-based buffer overflow when provided with an excessively long string argument. Exploitation allows remote attackers to execute arbitrary code in the context of the user, but only when the malicious HTML file is opened locally, due to the control not being marked safe for scripting or initialization. AOL remains an active and supported brand offering services like AOL Mail and AOL Desktop Gold, but the legacy AOL 9.5 desktop software—specifically the version containing the vulnerable Phobos.dll ActiveX control—is long discontinued and no longer maintained.
This is a legacy AOL desktop software flaw in an ActiveX component. If an endpoint still has AOL 9.5-era Phobos.dll installed, a user opening a malicious local HTML file could allow code execution as that user. It is serious for exposed legacy endpoints, but likely uncommon in modern environments.
Executive priority
Prioritize as a legacy endpoint cleanup issue, not a broad internet emergency. Act quickly if regulated, kiosk, shared, or high-risk user systems still carry old AOL components.
Technical view
The vulnerable Phobos.Playlist COM object exposes Import(), which can trigger a stack-based buffer overflow with an overly long string. Sources indicate exploitation is constrained because the control is not marked safe for scripting or initialization, requiring the malicious HTML to be opened locally. Public exploit references exist.
Likely exposure
Most exposure is expected on older Windows endpoints retaining AOL 9.5 or the Phobos.dll ActiveX control. The provided sources do not show AOL Mail or AOL Desktop Gold as affected.
Exploitation context
The source bundle includes public exploit references and third-party detection advisories. It does not indicate CISA KEV listing or verified active exploitation. User interaction and local file opening are required based on the CVSS vector and description.
Researcher notes
The CVE data and references support the buffer overflow and public exploit availability. Product lifecycle and patch status are less complete; the bundle says AOL 9.5 is discontinued and provides no vendor remediation.
Mitigation direction
Inventory endpoints for legacy AOL 9.5 and Phobos.dll.
Remove or retire unsupported AOL 9.5-era desktop software.
Disable or remove the vulnerable ActiveX control where found.
Block risky local HTML attachment handling through endpoint policy.
Check vendor guidance; no official patch is named in the provided sources.
Enable relevant IPS or endpoint detections where available.
Validation and detection
Confirm whether any endpoint has AOL 9.5-era components installed.
Check software inventory for Phobos.dll and Phobos.Playlist registration.
Review email and web controls for local HTML file execution risk.
Verify Broadcom or FortiGuard signatures are deployed if those products are used.
Document exceptions for any legacy dependency that cannot be removed.
Based on public source material and reviewed before publication.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-121: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
10Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-121 · source CWE mapping
Stack-based Buffer Overflow
Stack-based Buffer Overflow represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.