CVE-2017-3066

CVE Database · CVE-2017-3066

CVE-2017-3066

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

90.60%

Published

Apr 27, 2017

Modified

Apr 22, 2026

CISA Known Exploited Vulnerability

Added: 2025-02-24 · Due: 2025-03-17

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (4)

All weaponized →

Exploit-DBAdobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution TrickestTrickest PoC index GitHub PoCcodewhitesec/ColdFusionPwn★96 GitHub PoCcucadili/CVE-2017-3066★2

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-502CWE-502

Affected Products (39)

adobe · coldfusionvulnerable