Exploitation Summary
CVE-2017-3066 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 24, 2025. EIP tracks 3 public exploits from researchers including Faisal Tameesh, codewhitesec, cucadili.
AI-analyzed exploit summary This exploit leverages a Java object deserialization vulnerability in Adobe ColdFusion's BlazeDS component to achieve remote code execution. It sends a crafted AMF payload to trigger a JRMP connection to a listener for secondary payload delivery.
Description
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.
Exploits (3)
This exploit leverages a Java object deserialization vulnerability in Adobe ColdFusion's BlazeDS component to achieve remote code execution. It sends a crafted AMF payload to trigger a JRMP connection to a listener for secondary payload delivery.
This repository contains a functional exploit for CVE-2017-3066, targeting Adobe ColdFusion 11/12. It leverages deserialization vulnerabilities by generating serialized AMF payloads using ysoserial gadgets, enabling remote code execution.
This repository provides a detailed writeup and analysis of CVE-2017-3066, a Java deserialization vulnerability in Adobe ColdFusion's Apache BlazeDS library. It includes vulnerable/updated version comparisons, installation/exploitation references, and Suricata detection rules.
References (5)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H