IRONSMITHINTEL
CRITICALCVSS9.8
|
Actively Exploited
|CISA KEV|CVE-2022-22965|Auth: none — unauthenticated|Reboot: required|Manual only

Spring Framework JDK 9+ Remote Code Execution Vulnerability

Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.

Published Apr 1, 2022 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2022-04-25 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Code Injection (CWE-94) vulnerability in VMware Spring Framework. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

Virtualisation Administrators
Infrastructure Team
IT Security
Running spring framework: v < 5.2.20, 5.3.0 ≤ v < 5.3.18; cx cloud agent: v < 2.1.0; communications cloud native core automated test suite: 1.9.0, 22.1.0; communications cloud native core console: 1.9.0, 22.1.0; communications cloud native core network exposure function: 22.1.0; communications cloud native core network function cloud native environment: 1.10.0, 22.1.0; communications cloud native core network repository function: 1.15.0, 22.1.0; communications cloud native core network slice selection function: 1.8.0, 1.15.0, 22.1.0; communications cloud native core policy: 1.15.0, 22.1.0; communications cloud native core security edge protection proxy: 1.7.0, 22.1.0; communications cloud native core unified data repository: 1.15.0, 22.1.0; communications policy management: 12.6.0.0.0; financial services analytical applications infrastructure: 8.1.1, 8.1.2.0; financial services behavior detection platform: 8.1.1.0, 8.1.1.1, 8.1.2.0; financial services enterprise case management: 8.1.1.0, 8.1.1.1, 8.1.2.0; mysql enterprise monitor: v < 8.0.29; product lifecycle analytics: 3.6.1; retail xstore point of service: 20.0.1, 21.0.0; sd-wan edge: 9.0, 9.1; operation scheduler: v < 2.0.4; sipass integrated: 2.80, 2.85; siveillance identity: 1.5, 1.6; access appliance: 7.4.3, 7.4.3.100, 7.4.3.200; flex appliance: 1.3, 2.0, 2.0.1, 2.0.2, 2.1; netbackup flex scale appliance: 2.1, 3.0; netbackup appliance: 4.0, 4.0.0.1, 4.1, 4.1.0.1; netbackup virtual appliance: 4.0, 4.0.0.1, 4.1, 4.1.0.1; simatic speech assistant for machines: v < 1.2.1; sinec network management system: v < 1.0.3; commerce platform: 11.3.2; communications cloud native core binding support function: 22.1.3; communications unified inventory management: 7.4.1, 7.4.2, 7.5.0; retail bulk data integration: 16.0.3; retail customer management and segmentation foundation: 17.0, 18.0, 19.0; retail financial integration: 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1; retail integration bus: 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1; retail merchandising system: 16.0.3, 19.0.1; weblogic server: 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

    1
    Vendor advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2022-22965
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22965
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2022-22965NVDVendor Advisory