CVE-2009-3960

MEDIUM KEV RANSOMWARE

BlazeDS < 3.2 - Information Disclosure via XML External Entity Injection

Title source: llm

Exploitation Summary

CVE-2009-3960 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 7, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including Roberto Suggi Liverani, Tess Sluyter, CG, including a Metasploit module auxiliary/scanner/http/adobe_xml_inject.

AI-analyzed exploit summary This exploit demonstrates XML External Entity (XXE) and XML injection vulnerabilities in multiple Adobe products, allowing local file disclosure and arbitrary XML content injection via crafted AMFX requests.

Description

Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Roberto Suggi Liverani · textdosmultiple

https://www.exploit-db.com/exploits/11529

View Code ZIP pw:eip

This exploit demonstrates XML External Entity (XXE) and XML injection vulnerabilities in multiple Adobe products, allowing local file disclosure and arbitrary XML content injection via crafted AMFX requests.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Adobe BlazeDS 3.2.0.39, Adobe LiveCycle Data Services ES2 3.0, ColdFusion 9.0, Adobe LiveCycle ES2

No auth needed

Prerequisites: Access to HTTPChannel endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Tess Sluyter · bashwebappsxml

https://www.exploit-db.com/exploits/41855

View Code ZIP pw:eip

This Bash script exploits CVE-2009-3960, an XML injection vulnerability in multiple Adobe products, to disclose arbitrary file contents. It crafts a malicious XML payload with an external entity reference and sends it to various Adobe-specific endpoints via HTTP/HTTPS.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Adobe BlazeDS, LiveCycle, Flex Data Services, ColdFusion (multiple versions)

No auth needed

Prerequisites: Target host running vulnerable Adobe software · Network access to the target · curl installed on attacker's system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

by CG · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/adobe_xml_inject.rb

View Code ZIP pw:eip

This Metasploit module exploits an XML External Entity (XXE) injection vulnerability in multiple Adobe products, allowing an attacker to read arbitrary files from the server. It sends a crafted AMF request with an external entity reference to read the specified file.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Adobe BlazeDS 3.2 and earlier, LiveCycle 9.0/8.2.1/8.0.1, LiveCycle Data Services 3.0/2.6.1/2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0/8.0.1/8.0/7.0.2

No auth needed

Prerequisites: Network access to the target server · Vulnerable Adobe service exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3960

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/38197

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1023584

Broken Link vdb-entry x_refsource_osvdb

http://www.osvdb.org/62292

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/38543

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/41855/

Not Applicable, Vendor Advisory x_refsource_confirm

http://www.adobe.com/support/security/bulletins/apsb10-05.html

Scores

CVSS v3 6.5

EPSS 0.9012

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact partial

Details

CISA KEV 2022-03-07

VulnCheck KEV 2021-09-21

InTheWild.io 2022-03-07

ENISA EUVD EUVD-2009-3931

Ransomware Use Confirmed

Status published

Products (12)

adobe/blazeds < 3.2

adobe/coldfusion 7.0.2

adobe/coldfusion 8.0

adobe/coldfusion 8.0.1

adobe/coldfusion 9.0

adobe/flex_data_services 2.0.1

adobe/livecycle 8.0.1

adobe/livecycle 8.2.1

adobe/livecycle 9.0

adobe/livecycle_data_services 2.5.1

... and 2 more

Published Feb 15, 2010

KEV Added Mar 07, 2022

Tracked Since Feb 18, 2026