CVE-2017-3066

CRITICAL
2017-04-27 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 26, 2026 - 11:18 vuln.today
Added to CISA KEV
Oct 22, 2025 - 00:16 cisa
CISA KEV
PoC Detected
Oct 22, 2025 - 00:16 vuln.today
Public exploit code
Patch Released
Oct 22, 2025 - 00:16 nvd
Patch available
CVE Published
Apr 27, 2017 - 14:59 nvd
CRITICAL 9.8

Description

Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.

Analysis

Adobe ColdFusion 2016, 11, and 10 contain a Java deserialization vulnerability in the Apache BlazeDS library that allows unauthenticated remote code execution through crafted AMF requests.

Technical Context

The CWE-502 deserialization flaw in BlazeDS processes untrusted AMF data containing serialized Java objects. Attackers craft AMF payloads with gadget chains (Commons Collections, Spring, etc.) that execute arbitrary commands during deserialization on the ColdFusion server.

Affected Products

['Adobe ColdFusion 2016 Update 3 and earlier', 'Adobe ColdFusion 11 Update 11 and earlier', 'Adobe ColdFusion 10 Update 22 and earlier']

Remediation

Apply Adobe security update APSB17-14. Restrict access to BlazeDS endpoints (/flex2gateway/, /messagebroker/). Update Apache BlazeDS to a patched version. Consider WAF rules to filter AMF requests.

Priority Score

222
Low Medium High Critical
KEV: +50
EPSS: +93.4
CVSS: +49
POC: +20

Share

CVE-2017-3066 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy