Back to KEVs

CVE-2017-3066

Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization...

Basic Information

CVE State
PUBLISHED
Reserved Date
December 02, 2016
Published Date
April 27, 2017
Last Updated
June 06, 2025
Vendor
Adobe
Product
Adobe ColdFusion ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier
Description
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.
Tags
apache cisa

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

10.0

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-02-24 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2019-10-09 11:13:00 UTC) Source

References

https://www.exploit-db.com/exploits/43993/ https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html http://www.securityfocus.com/bid/98003 http://www.securitytracker.com/id/1038364

Known Exploited Vulnerability Information

Source Added Date
CISA 2025-02-24 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

cucadili/CVE-2017-3066

Type: github • Created: 2019-10-09 11:13:00 UTC • Stars: 2

The study of vulnerability CVE-2017-3066. Java deserialization

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Added to KEVIntel