Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. The vulnerabilities, identified as CVE-2017-3066 and CVE-2024-20953, are affecting widely used software products—Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM).

Deserialization vulnerabilities have become a recurring theme in cybersecurity, posing cybersecurity risks to both individual organizations and broader systems. These vulnerabilities are examples of this type of flaw, which arises when untrusted data is improperly deserialized by an application. These flaws allow attackers to inject malicious data into the deserialization process, often leading to code execution, privilege escalation, or system takeover.

In this context, deserialization vulnerabilities are increasingly exploited by cybercriminals to bypass security measures and gain unauthorized access to sensitive information. Organizations need to remain vigilant in patching these vulnerabilities to protect their systems and prevent exploitation.

Details of the Vulnerabilities (CVE-2017-3066 and CVE-2024-20953)

CVE-2017-3066: Adobe ColdFusion Deserialization Vulnerability

First reported in 2017, CVE-2017-3066 is a deserialization vulnerability in the Apache BlazeDS library used by Adobe ColdFusion. This issue exists in ColdFusion 2016 Update 3 and earlier, ColdFusion 11 Update 11 and earlier, and ColdFusion 10 Update 22 and earlier. Attackers can exploit this flaw to execute arbitrary code, potentially taking control of affected systems. The vulnerability is triggered when ColdFusion fails to properly validate data sent through deserialization, allowing for code execution in the context of the affected application.

Adobe responded by issuing hotfixes for ColdFusion products in April 2017, addressing the deserialization issue and providing updates to mitigate the vulnerability. However, despite these updates, security experts continue to warn that many systems may still be exposed if the necessary patches have not been applied.

Affected Versions:

• ColdFusion (2016 release) Update 3 and earlier
• ColdFusion 11 Update 11 and earlier
• ColdFusion 10 Update 22 and earlier

For ColdFusion users, Adobe strongly recommends updating to the latest versions:

• ColdFusion (2016 release): Update 4
• ColdFusion 11: Update 12
• ColdFusion 10: Update 23

These updates address CVE-2017-3008, a cross-site scripting (XSS) vulnerability, and CVE-2017-3066, the deserialization vulnerability, offering critical protection against exploitation.

Key CVE References:

• CVE-2017-3066 (Adobe ColdFusion Deserialization Vulnerability)
• CVE-2017-3008 (Cross-Site Scripting)

CVE-2024-20953: Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability

The second vulnerability added to the CISA KEV Catalog is CVE-2024-20953, identified in Oracle’s Agile PLM product. This vulnerability, which affects version 9.3.6 of the Oracle Agile PLM Framework, allows a low-privileged attacker to exploit a deserialization flaw through network access via HTTP. Successful exploitation could lead to a complete compromise of the affected system, including taking over Oracle Agile PLM.

The deserialization vulnerability in Oracle Agile PLM could enable attackers to manipulate internal data and execute arbitrary code. According to the CVSS 3.1 base score, the vulnerability is rated 8.8 (High), signifying its potential to affect the confidentiality, integrity, and availability of the affected systems. The vulnerability’s ease of exploitation makes it a top target for malicious cyber actors.

Affected Product:

• Oracle Agile PLM, version 9.3.6

Oracle has issued a security patch to address CVE-2024-20953, and organizations must apply the patch promptly to prevent further compromise.

Oracle and Adobe’s Responses

Both Oracle and Adobe have been proactive in addressing these vulnerabilities by issuing security updates and patches. Oracle’s security advisories and regular Critical Patch Updates (CPUs) provide users with necessary fixes for various vulnerabilities across its product family, including the deserialization vulnerability in Oracle Agile PLM. Oracle also stresses the importance of keeping systems updated to prevent the exploitation of known vulnerabilities.

Similarly, Adobe’s quick response to CVE-2017-3066 with hotfixes for ColdFusion products ensures that affected users can mitigate risks associated with the deserialization flaw. Adobe’s advice for ColdFusion customers to update their installations is crucial in preventing cyber attackers from exploiting the vulnerability.

Mitigation and Recommendations

Organizations must take proactive steps to mitigate the risks posed by these vulnerabilities. Here are some recommended actions for protecting against CVE-2017-3066 and CVE-2024-20953:

1. Apply Patches: Ensure that all affected systems are updated to the latest versions. For Adobe ColdFusion, update to ColdFusion 2016 Update 4, ColdFusion 11 Update 12, or ColdFusion 10 Update 23. For Oracle Agile PLM, update to version 9.3.6 or apply the latest available patch.
2. Review Security Configurations: Review the security configuration settings outlined by Adobe and Oracle to harden your installations and prevent future vulnerabilities from being exploited.
3. Monitor for Suspicious Activity: Monitor your network traffic and system logs for any signs of attempted exploitation. Early detection can help prevent major damage.
4. Stay Informed: Check for updates from CISA, Adobe, Oracle, and other relevant vendors regularly to stay informed about newly discovered vulnerabilities and required patches.
5. Ensure Compliance: For federal agencies and contractors, ensure compliance with BOD 22-01 to meet the remediation requirements outlined by CISA.

Conclusion

CISA’s recent update to its Known Exploited Vulnerabilities Catalog highlights the risks associated with deserialization vulnerabilities, specifically CVE-2017-3066 and CVE-2024-20953, affecting Adobe ColdFusion and Oracle Agile PLM products. Organizations should take quick measures to apply the necessary updates to protect against exploitation.  Leveraging platforms like Cyble’s AI-powered threat intelligence can help organizations stay protected from cybercriminals and mitigate any potential risks.

References

• https://www.cisa.gov/news-events/alerts/2025/02/24/cisa-adds-two-known-exploited-vulnerabilities-catalog
• https://www.cve.org/CVERecord?id=CVE-2017-3066
• https://www.cve.org/CVERecord?id=CVE-2024-20953
• https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html
• https://www.oracle.com/security-alerts/cpujan2024.html

Related

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.