Adobe has promised to issue a fix for another major security flaw in its Flash software.
Adobe has credited Kaspersky with uncovering evidence that the flaw is being used by a group of Russian hackers dubbed ScarCruft. The flaw is notable because it can be used against Windows, OS X, Linux, and Chrome OS systems.
Adobe plans to issue a fix for the problem by 16 June.
"Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild and is being used in limited targeted attacks," said the firm.
"Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16."
Kaspersky explained that it caught the flaw being used during its usual investigations into security incidents.
"Earlier this month, we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks. We believe these attacks are launched by an APT group we call ScarCruft," the firm said.
"ScarCruft is a relatively new APT group, and victims have been observed in several countries. The group has several ongoing operations using multiple exploits, two for Adobe Flash and one for Microsoft Internet Explorer."
Security experts have used the incident, and Adobe's plans to issue a fix, as more evidence of just how troublesome Flash has become, and said that firms using the software should apply the patch the moment it is released.
"Adobe has acknowledged that a vulnerability (CVE-2016-4171) in the current Flash player is being used in the wild and delayed the expected monthly Adobe Flash patch. The APSA16-03 advisory promises the patch for the end of this week," said Wolfgang Kandek, CTO at security firm Qualys.
"Pay close attention to the release and address it as quickly as possible. This is the third month in a row that we are seeing a zero-day in Flash, making it the most targeted software on your organisation's endpoints."
The news comes after Microsoft issued the June Patch Tuesday security release with five critical fixes covering key products including IE, Edge and Office.
Mark Vartanyan was working for Norwegian e-healthcare firm Dignio when he was arrested
Samsung can't see a way to profitably compete against Amazon and Google
Fix being rushed out - but not quite as quickly as an ambulance to an emergency
Massive miner Rio Tinto claims 20 per cent of pit-to-port train kilometres in Australia are now driverless
Rio Tinto today, TfL tomorrow?