Security vendor FireEye said the bug was being exploited to deliver ransomware as part of the Nuclear and Magnitude exploit kits - automated tools sold on underground forums that hackers use to infect Windows PCs with malware through compromised websites.
Attackers are presently using the exploit kits to infect systems with the Locky and Cerber ransomware.
More than a billion users of Flash on Windows, Mac, Chrome and Linux computers have been urged by Adobe to update the product as quickly as possible to avoid falling victim to ransomware.
The ransomware encrypts data on computers, then demands payments that often range from U$200 to U$600 (A$265 to A$800) with Bitcoin to decrypt the scrambled information.
Adobe's new patch fixes a previously unknown zero-day security flaw.
Use of zero-days to distribute ransomware highlights a growing ransomware epidemic, which has disrupted operations at a wide range of organisations across the United States and Europe, including hospitals, police stations and school districts.
Last week, US and Canadian governments issued a warning about the growing threat as a ransomware attack shut down computer systems at MedStar Health, the largest hospital chain in the Washington DC area.