cbcvebase.
CVE-2017-3066
published 2017-04-27

CVE-2017-3066: Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-03-17
Exploited in the wild
EPSS
90.60%
99.8th percentile
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobecoldfusion
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<target_IP>:<target_port>/flex2gateway/amf
path/flex2gateway/amf
othersun.rmi.server.UnicastRef
otherContent-Type: application/x-amf
bytes
f9 6a 76 7b 7c de 68 4f 76 d8 aa 3d 00 00 01 5b b0 4c 1d 81 80 01 00
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution"; flow:established,to_server; http.uri; content:"/amf"; http.request_body; content:"sun.rmi.server.UnicastRef"; content:"|f9 6a 76 7b 7c de 68 4f 76 d8 aa 3d 00 00 01 5b b0 4c 1d 81 80 01 00|"; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/43993/; reference:cve,2017-3066; classtype:attempted-user; sid:2025836; rev:4; metadata:attack_target Server, created_at 2018_07_13, cve CVE_2017_3066, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit targets the /flex2gateway/amf endpoint via HTTP POST with Content-Type: application/x-amf. Detect by matching URI path '/amf' combined with request body containing 'sun.rmi.server.UnicastRef' and the byte sequence f9 6a 76 7b 7c de 68 4f 76 d8 aa 3d 00 00 01 5b b0 4c 1d 81 80 01 00.
  • Post-exploitation: look for cron jobs downloading and executing files from 3389.space or 118.24.150.172, mining executables saved as 'java', and modification of /etc/ld.so.preload.
  • On Windows, look for UPX-packed files created in the Windows Start Menu Folder and code injection into notepad.exe by TermsHost.exe.
  • Rocke's miner communicates with MinerGate pool at xmr.pool.MinerGate.com:45700 using wallet/email [email protected]. Flag outbound connections to this pool address.
  • ·The Snort/ET rule (sid:2025836) uses the specific byte sequence as a fast_pattern match; attackers could potentially modify padding bytes around the UnicastRef object to evade this signature while retaining exploit functionality.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.