Back to KEVs

CVE-2017-3066

Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization...

Basic Information

CVE State
PUBLISHED
Reserved Date
December 02, 2016
Published Date
April 27, 2017
Last Updated
February 24, 2025
Vendor
n/a
Product
Adobe ColdFusion ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier
Description
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.

CVSS Scores

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2025-02-24 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2019-10-09 11:13:00 UTC) Source

References

https://www.exploit-db.com/exploits/43993/ https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html http://www.securityfocus.com/bid/98003 http://www.securitytracker.com/id/1038364

Known Exploited Vulnerability Information

Source Added Date
CISA 2025-02-24 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

cucadili/CVE-2017-3066

Type: github • Created: 2019-10-09 11:13:00 UTC • Stars: 2

The study of vulnerability CVE-2017-3066. Java deserialization