Adobe ColdFusion
CVE-2017-3066
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionCVE.org
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.
AnalysisAI
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization flaws in the bundled Apache BlazeDS library. This critical vulnerability affects ColdFusion 10 (all updates through 22), ColdFusion 11 (through Update 11), and ColdFusion 2016 (through Update 3). CISA confirms active exploitation in the wild with publicly available exploit code (Exploit-DB 43993), and EPSS scoring at 93.36% (100th percentile) indicates extremely high real-world exploitation likelihood. The network-accessible attack vector requiring no authentication or user interaction makes this a top-priority remediation target for any organization running affected ColdFusion versions.
Technical ContextAI
This vulnerability resides in the Apache BlazeDS library bundled with Adobe ColdFusion, which provides AMF (Action Message Format) remoting services for Flash and Flex applications. CWE-502 indicates unsafe deserialization of untrusted data, a common Java vulnerability class where attackers craft malicious serialized objects that execute arbitrary code when deserialized by the application. BlazeDS accepts serialized Java objects over network connections without proper validation, allowing attackers to inject malicious payloads that execute during the deserialization process. The affected CPE data confirms all versions of ColdFusion 10 (base through Update 22), ColdFusion 11 (through Update 11), and ColdFusion 2016 (through Update 3) contain vulnerable BlazeDS implementations. Java deserialization vulnerabilities are particularly dangerous because they bypass traditional security controls and execute at the JVM level with the privileges of the application server process.
RemediationAI
Immediately upgrade to ColdFusion 2016 Update 4, ColdFusion 11 Update 12, or ColdFusion 10 Update 23 as specified in Adobe Security Bulletin APSB17-14 (https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html). These versions include patched BlazeDS libraries that properly validate serialized objects. If immediate patching is not feasible, implement network-level access controls to restrict ColdFusion server access to trusted IP addresses only, effectively converting the AV:N to AV:A (adjacent network). Specifically, block external access to BlazeDS endpoints (typically /flex2gateway/ and /messagebroker/ paths) at the firewall or web application firewall layer, though this severely limits legitimate AMF remoting functionality. Disable BlazeDS entirely if Flash/Flex remoting is not business-critical by removing or renaming the BlazeDS servlet mappings in web.xml, understanding this will break any applications relying on AMF services. Monitor for deserialization attack patterns in application logs, including unusual Java class names in POST data and unexpected ysoserial gadget chains. Given the confirmed active exploitation and publicly available exploits, compensating controls should be considered temporary emergency measures only - patching remains the only reliable long-term mitigation.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today