CVE-2017-3066

Published Apr 27, 2017

Last updated 21 days ago

Exploit knownCVSS critical 9.8
ColdFusion

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2017-3066 is a vulnerability that allows remote code execution due to Java deserialization issues in the Apache BlazeDS library used by Adobe ColdFusion. Affected versions include Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 Update 11 and earlier, and ColdFusion 10 Update 22 and earlier. Exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. The vulnerability was identified and reported in 2017. As of February 24, 2025, CISA added CVE-2017-3066 to its Known Exploited Vulnerabilities Catalog due to evidence of active exploitation.

Description
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.
Source
psirt@adobe.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

CVSS 2.0

Type
Primary
Base score
10
Impact score
10
Exploitability score
10
Vector string
AV:N/AC:L/Au:N/C:C/I:C/A:C

Known exploits

Data from CISA

Vulnerability name
Adobe ColdFusion Deserialization Vulnerability
Exploit added on
Feb 24, 2025
Exploit action due
Mar 17, 2025
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

nvd@nist.gov
CWE-502
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-502

Social media

Hype score
Not currently trending

  1. Actively exploited CVE : CVE-2017-3066, CVE-2024-20953

    @transilienceai

    8 Mar 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. #BUGBOARD series is back with #news 2!💡 CISA has added Adobe ColdFusion and Oracle Agile PLM vulnerabilities (CVE-2017-3066 & CVE-2024-20953) to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. . Link: https://t.co/bcTqdu69lh #oracle #adobe #secu

    @bugbreport

    4 Mar 2025

    13 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. ⚠️ Vulnerability Alert: Critical deserialization bugs in Adobe, Oracle software 📅 Timeline: Disclosure: 2017-04-25, Patch: 2024-01-15 📌 Attribution: CISA 🆔cveId: CVE-2017-3066; CVE-2024-20953 📊baseScore: 9.8; 8.8 📏cvssMetrics: cvssSeverity: Critical; High… https://t.co/J

    @syedaquib77

    25 Feb 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🛑 CISA has warned about two vulnerabilities: CVE-2017-3066 and CVE-2024-20953. Despite patches being available, they're flagged due to continued exploitation risks. 🔗 Read the full article: https://t.co/ooAhN2lHkF

    @TheHackersNews

    25 Feb 2025

    39511 Impressions

    33 Retweets

    104 Likes

    23 Bookmarks

    0 Replies

    1 Quote

Configurations

References