🔴 CVE-2017-3066

Critical Java deserialization vulnerability in Adobe ColdFusion allowing remote code execution via the Apache BlazeDS library. ColdFusion is primarily deployed as an internet-facing web application server, making this vulnerability directly exploitable over the internet without authentication.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2017-04-27

Added to CISA KEV: 2025-02-24 2860 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2017-3066 is a critical Java deserialization vulnerability affecting Adobe ColdFusion that remains a significant security concern due to its ongoing exploitation in the wild.

Overview and Impact
  • Vulnerability Type: Java deserialization vulnerability within the Apache BlazeDS library [5].
  • Impact: Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) on the affected server [3]. This grants the attacker the ability to run arbitrary code, potentially leading to full system compromise, data theft, and disruption of services [1].
Exploitation Details
  • Attack Method: Attackers exploit this flaw by sending a specially crafted Action Message Format (AMF) payload to the target server [3].
  • Requirements: The attack is performed remotely over the network. It requires no authentication (no privileges) and no user interaction to succeed [1].
Active Exploitation and Threat Landscape
  • Wild Exploitation: CVE-2017-3066 is actively exploited in the wild. Recent analysis indicates a surge in exploitation attempts, with attack volumes spiking significantly, demonstrating persistent and escalating interest from threat actors [2].
  • Threat Actor Usage: The vulnerability is leveraged by sophisticated threat actors, including those involved in advanced persistent threat (APT) operations, who use it for targeted reconnaissance and compromise [2].
  • CISA KEV: Due to its active exploitation and critical nature, this vulnerability is included in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog, which mandates urgent remediation for federal agencies and strongly advises it for all organizations [1].
Affected Versions and Mitigation
The vulnerability affects the following Adobe ColdFusion versions:
  • ColdFusion 2016: Update 3 and earlier
  • ColdFusion 11: Update 11 and earlier
  • ColdFusion 10: Update 22 and earlier
Status: This is a legacy vulnerability for which patches were released by Adobe in 2017 (APSB17-14) [4]. Organizations running these older, unsupported versions of ColdFusion are at high risk and should prioritize upgrading to a supported, patched version or applying the relevant security updates immediately.

Sources

  1. CVE-2017-3066 - Exploits & Severity - Feedly

    Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization ... CVEs. CVE-2017-3066. Exploit.It allows for arbitrary code execution, which means an attacker could run malicious code on the affected system. The vulne…

  2. Adobe ColdFusion - RCE (CVE-2017-3066)

    Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2017-3066 is surging. Attack volumes are spiking well a…

  3. CVE-2017-3066: Adobe ColdFusion Deserialization Vulnerability

    By crafting a malicious AMF payload, attackers can exploit this flaw and achieve remote code execution on the ColdFusion servers. Attack Flow: ... This blog describes about the CVE 2017 3066 vulnerability and how to reproduce it.

  4. CVE-2017-3066 : Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion ...

    Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution. ... Successful exploitation could lead to arbi…

  5. NVD - CVE-2017-3066

    CVE-2017-3066 Detail Description Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution. ... This CVE…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed