CVE-2017-3066
published 2017-04-27CVE-2017-3066: Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-03-17
Exploited in the wild
EPSS
90.60%
99.8th percentile
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
f9 6a 76 7b 7c de 68 4f 76 d8 aa 3d 00 00 01 5b b0 4c 1d 81 80 01 00
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution"; flow:established,to_server; http.uri; content:"/amf"; http.request_body; content:"sun.rmi.server.UnicastRef"; content:"|f9 6a 76 7b 7c de 68 4f 76 d8 aa 3d 00 00 01 5b b0 4c 1d 81 80 01 00|"; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/43993/; reference:cve,2017-3066; classtype:attempted-user; sid:2025836; rev:4; metadata:attack_target Server, created_at 2018_07_13, cve CVE_2017_3066, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit targets the /flex2gateway/amf endpoint via HTTP POST with Content-Type: application/x-amf. Detect by matching URI path '/amf' combined with request body containing 'sun.rmi.server.UnicastRef' and the byte sequence f9 6a 76 7b 7c de 68 4f 76 d8 aa 3d 00 00 01 5b b0 4c 1d 81 80 01 00. ↗
- →Post-exploitation: look for cron jobs downloading and executing files from 3389.space or 118.24.150.172, mining executables saved as 'java', and modification of /etc/ld.so.preload. ↗
- →On Windows, look for UPX-packed files created in the Windows Start Menu Folder and code injection into notepad.exe by TermsHost.exe. ↗
- →Rocke's miner communicates with MinerGate pool at xmr.pool.MinerGate.com:45700 using wallet/email [email protected]. Flag outbound connections to this pool address. ↗
- ·The Snort/ET rule (sid:2025836) uses the specific byte sequence as a fast_pattern match; attackers could potentially modify padding bytes around the UnicastRef object to evade this signature while retaining exploit functionality. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7cc9-8vjg-gpp8: Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulne
ghsa_unreviewed·2022-05-13
CVE-2017-3066 [CRITICAL] CWE-502 GHSA-7cc9-8vjg-gpp8: Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulne
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.
VulnCheck
Adobe ColdFusion Deserialization Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-3066 [CRITICAL] CWE-502 Adobe ColdFusion Deserialization Vulnerability
Adobe ColdFusion Deserialization Vulnerability
Adobe ColdFusion contains a deserialization vulnerability in the Apache BlazeDS library that allows for arbitrary code execution.
Affected: Adobe ColdFusion
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html; https://cisa.gov/news-events/cybersecurity-advisories/aa18-284a; https://cujo.com/the-sysrv-botnet-and-how-it-evolved/; https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-24-PalotayZsigovits.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://app.crowdsec.net/cti/cve-explorer/CVE-2017-3066; https://cybl
CISA
Adobe ColdFusion Deserialization Vulnerability
cisa·2025-02-24·CVSS 9.8
CVE-2017-3066 [CRITICAL] CWE-502 Adobe ColdFusion Deserialization Vulnerability
Vulnerability: Adobe ColdFusion Deserialization Vulnerability
Affected: Adobe ColdFusion
Adobe ColdFusion contains a deserialization vulnerability in the Apache BlazeDS library that allows for arbitrary code execution.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html ; https://nvd.nist.gov/vuln/detail/CVE-2017-3066
Remediation Due Date: 2025-03-17
Suricata
ET WEB_SPECIFIC_APPS Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution (CVE-2017-3066)
suricata·2025-11-06·CVSS 9.8
CVE-2017-3066 [CRITICAL] ET WEB_SPECIFIC_APPS Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution (CVE-2017-3066)
ET WEB_SPECIFIC_APPS Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution (CVE-2017-3066)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution (CVE-2017-3066)"; flow:established,to_server; http.uri; content:"/flex2gateway/amf"; startswith; http.content_type; content:"application/x-amf"; http.request_body; content:"|00 03 00 00 00 01 00 00 00 00 ff ff ff ff 11 0a 07 33|sun.rmi.server.UnicastRef"; fast_pattern; startswith; http.method; content:"POST"; reference:url,www.exploit-db.com/exploits/43993/; reference:cve,2017-3066; classtype:web-application-attack; sid:2065684; rev:1; metadata:affected_product Adobe_Coldfusion, attack_target Server, tls_state TLSDecrypt, created_at 2025
Suricata
ET EXPLOIT Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution
suricata·2018-07-13
CVE-2017-3066 ET EXPLOIT Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution
ET EXPLOIT Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution"; flow:established,to_server; http.uri; content:"/amf"; http.request_body; content:"sun.rmi.server.UnicastRef"; content:"|f9 6a 76 7b 7c de 68 4f 76 d8 aa 3d 00 00 01 5b b0 4c 1d 81 80 01 00|"; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/43993/; reference:cve,2017-3066; classtype:attempted-user; sid:2025836; rev:4; metadata:attack_target Server, created_at 2018_07_13, cve CVE_2017_3066, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_04_06, mitre_tactic_id TA0001, mitre_tactic_name
arXiv
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
arxiv_fulltext·2019-05-29
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
: Leveraging Temporal Word Embeddings to
Understand the Evolution of Cyberattacks
## Abstract
Despite the fact that cyberattacks are constantly growing in complexity, the research community still lacks effective tools to easily monitor and understand them.
In particular, there is a need for techniques that are able to not only track how prominently certain malicious actions, such as the exploitation of specific vulnerabilities, are exploited in the wild, but also (and more importantly) how these malicious actions factor in as attack steps in more complex cyberattacks.
In this paper we present , a system that uses temporal word embeddings to model how attack steps are exploited in the wild, and track how they evolve.
We test on a dataset of billions of security events collected from the c
Talos
Rocke: The Champion of Monero Miners
blogs_talos·2018-08-30
Rocke: The Champion of Monero Miners
This post was authored by David Liebenberg.
## SummaryCryptocurrency miners are becoming an increasingly significant part of the threat landscape. These malicious miners steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor.
In this post, we look at the activity of one particular threat actor: Rocke. We will examine several of Rocke's campaigns, malware, and infrastructure while uncovering more information about the actor. After months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors.
## IntroductionTalos has written widely about the issue ofcryptomining malwareand how organizations shouldprotect systemsagainst thi
Talos
Rocke: The Champion of Monero Miners
blogs_talos·2018-08-30
Rocke: The Champion of Monero Miners
## Rocke: The Champion of Monero Miners
This post was authored by David Liebenberg .
## Summary Cryptocurrency miners are becoming an increasingly significant part of the threat landscape. These malicious miners steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor.
In this post, we look at the activity of one particular threat actor: Rocke. We will examine several of Rocke's campaigns, malware, and infrastructure while uncovering more information about the actor. After months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors.
## Introduction Talos has written widely about the issue of cryptomining malware and how
Threat Intel
Rocke (Rocke)
threat_intel·CVSS 7.5
[HIGH] Rocke (Rocke)
# Threat Actor Profile: Rocke
ATT&CK ID: G0106
Also known as: Rocke
Suspected origin: China
## Overview
Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "[email protected]" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)
## Techniques (TTPs)
### Initial Access
- T1190 Exploit Public-Facing Application
Usage: Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.(
http://www.securityfocus.com/bid/98003http://www.securitytracker.com/id/1038364https://helpx.adobe.com/security/products/coldfusion/apsb17-14.htmlhttps://www.exploit-db.com/exploits/43993/http://www.securityfocus.com/bid/98003http://www.securitytracker.com/id/1038364https://helpx.adobe.com/security/products/coldfusion/apsb17-14.htmlhttps://www.exploit-db.com/exploits/43993/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-3066
2017-04-27
Published
2025-02-24
Added to CISA KEV
Exploited in the wild