What is the CVSS score of CVE-2017-3066?

CVE-2017-3066 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 93.4%.

Which versions of Adobe ColdFusion are affected by CVE-2017-3066?

CVE-2017-3066 is a critical remote code execution vulnerability in Adobe ColdFusion affecting versions 10, 11, and 2016, enabling unauthenticated attackers to execute arbitrary code on…. A patch is available.

Is there a public PoC exploit available for CVE-2017-3066?

Yes, a public proof-of-concept exploit is available for CVE-2017-3066. Prioritise patching immediately. EPSS: 93.4%.

How to fix or mitigate CVE-2017-3066?

Within 24 hours: identify all ColdFusion 10, 11, and 2016 servers in production and isolate them from direct internet access if patching cannot be completed immediately. Within 7 days: apply Adobe's critical security patches (ColdFusion 10 Update 23 or later, ColdFusion 11 Update 12 or later, ColdFusion 2016 Update 4 or later). Within 30 days: complete post-patch validation testing and remove any temporary network segmentation controls if patching is confirmed successful.

Adobe ColdFusion CVE-2017-3066

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2017-04-27 psirt@adobe.com

RCE Apache Java Deserialization Adobe

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 22, 2026 - 12:42 vuln.today

v3 (cvss_changed)

Analysis Updated

Apr 21, 2026 - 15:29 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 21, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Added to CISA KEV

Oct 22, 2025 - 00:16 cisa

CISA KEV

PoC Detected

Oct 22, 2025 - 00:16 vuln.today

Public exploit code

Patch released

Oct 22, 2025 - 00:16 nvd

Patch available

CVE Published

Apr 27, 2017 - 14:59 nvd

CRITICAL 9.8

DescriptionNVD

Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.

AnalysisAI

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization flaws in the bundled Apache BlazeDS library. This critical vulnerability affects ColdFusion 10 (all updates through 22), ColdFusion 11 (through Update 11), and ColdFusion 2016 (through Update 3). CISA confirms active exploitation in the wild with publicly available exploit code (Exploit-DB 43993), and EPSS scoring at 93.36% (100th percentile) indicates extremely high real-world exploitation likelihood. The network-accessible attack vector requiring no authentication or user interaction makes this a top-priority remediation target for any organization running affected ColdFusion versions.

Technical ContextAI

This vulnerability resides in the Apache BlazeDS library bundled with Adobe ColdFusion, which provides AMF (Action Message Format) remoting services for Flash and Flex applications. CWE-502 indicates unsafe deserialization of untrusted data, a common Java vulnerability class where attackers craft malicious serialized objects that execute arbitrary code when deserialized by the application. BlazeDS accepts serialized Java objects over network connections without proper validation, allowing attackers to inject malicious payloads that execute during the deserialization process. The affected CPE data confirms all versions of ColdFusion 10 (base through Update 22), ColdFusion 11 (through Update 11), and ColdFusion 2016 (through Update 3) contain vulnerable BlazeDS implementations. Java deserialization vulnerabilities are particularly dangerous because they bypass traditional security controls and execute at the JVM level with the privileges of the application server process.

RemediationAI

Immediately upgrade to ColdFusion 2016 Update 4, ColdFusion 11 Update 12, or ColdFusion 10 Update 23 as specified in Adobe Security Bulletin APSB17-14 (https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html). These versions include patched BlazeDS libraries that properly validate serialized objects. If immediate patching is not feasible, implement network-level access controls to restrict ColdFusion server access to trusted IP addresses only, effectively converting the AV:N to AV:A (adjacent network). Specifically, block external access to BlazeDS endpoints (typically /flex2gateway/ and /messagebroker/ paths) at the firewall or web application firewall layer, though this severely limits legitimate AMF remoting functionality. Disable BlazeDS entirely if Flash/Flex remoting is not business-critical by removing or renaming the BlazeDS servlet mappings in web.xml, understanding this will break any applications relying on AMF services. Monitor for deserialization attack patterns in application logs, including unusual Java class names in POST data and unexpected ysoserial gadget chains. Given the confirmed active exploitation and publicly available exploits, compensating controls should be considered temporary emergency measures only - patching remains the only reliable long-term mitigation.

More from same product – last 7 days

CVE-2025-48977 HIGH This Week

8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve

CVE-2026-42782 HIGH This Week

7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig

CVE-2026-43827 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

CVE-2026-43828 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue

CVE-2026-44598 MEDIUM This Month

5.1 May 25

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu

CVE-2017-3066 vulnerability details – vuln.today

Back

Adobe ColdFusion CVE-2017-3066

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code