Adobe has updated its Flash software to fix a security hole, which was made public only after data was stolen from an online surveillance company.
Italian firm Hacking Team sells spying software to intelligence agencies around the world.
On Sunday, private data stolen from the company was posted online, indicating it knew about a serious flaw in Flash, but had not told Adobe.
One security blog said the bug had been "immediately weaponised" by attackers.
"This is one of the fastest documented cases of an immediate weaponisation in the wild, possibly thanks to the detailed instructions left by the Hacking Team," wrote Jerome Segura from Malwarebytes.
Details of the software flaw were among 400GB of stolen data that was posted online.
In the data, Hacking Team described the flaw as "the most beautiful Flash bug for the last four years".
Security software company Trend Micro said the flaw had been included in at least three "exploit kits" - collections of computer code and tools that can help attackers spread malicious software.
"When you know the severity of a flaw, there's a duty to disclose it to the software vendor," said Bharat Mistry, cybersecurity expert at Trend Micro.
"Maybe they saw this as an avenue they could use for their own purposes and wanted to keep it under wraps.
"But Flash has a big presence on the web. There is mass potential for this bug to be exploited by criminals."
Adobe acknowledged the bug could "cause a crash and potentially allow an attacker to take control of the affected system".
It said the flaw affected Flash 184.108.40.206 and earlier versions for Windows, Macintosh and Linux.
The company released an update to Flash on Wednesday and said it recommended people install it "within 72 hours".