CISA reports active exploitation of Adobe ColdFusion flaw
Take action: If you are running Adobe ColdFusion's that has not been patched since 2017, and you still haven't been hacked - consider yourself very lucky, even buy a lottery ticket. In the meantime, patch your Adobe ColdFusion ASAP because your luck is about to run out.
Learn More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is reporting actively exploited flaw in Adobe ColdFusion and product:
The exploited flaw is tracked as CVE-2017-3066 (CVSS score 9.8) - Java deserialization vulnerability in Adobe ColdFusion's Apache BlazeDS library it llows attackers to execute arbitrary code on affected systems. It affects Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, and ColdFusion 10 Update 22 and earlier. It was originally patched by Adobe in April 2017
While CISA has confirmed active exploitation of the flaw, there are currently no detailed public reports describing specific attack campaigns.
CISA recommends that all organizations apply the necessary updates to mitigate these vulnerabilities. Federal agencies are required to secure their networks against these threats by March 17, 2025.
