IRONSMITHINTEL
CRITICALCVSS9.8
|
Actively Exploited
|CISA KEV|CVE-2022-22963|Auth: none — unauthenticated|Reboot: required|Manual only

VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability (CVE-2022-22963)

When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Published Apr 1, 2022 · Updated May 29, 2026
XLinkedIn
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2022-09-15 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Code Injection (CWE-94) vulnerability in VMware Tanzu Spring Cloud. In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

Virtualisation Administrators
Infrastructure Team
IT Security
Running spring cloud function: v ≤ 3.1.6, 3.2.0 ≤ v ≤ 3.2.2; banking branch: 14.5; banking cash management: 14.5; banking corporate lending process management: 14.5; banking credit facilities process management: 14.5; banking electronic data exchange for corporates: 14.5; banking liquidity management: 14.2, 14.5; banking origination: 14.5; banking supply chain finance: 14.5; banking trade finance process management: 14.5; banking virtual account management: 14.5; communications cloud native core automated test suite: 1.9.0, 22.1.0; communications cloud native core console: 1.9.0, 22.1.0; communications cloud native core network exposure function: 22.1.0; communications cloud native core network function cloud native environment: 1.10.0, 22.1.0, 22.1.2; communications cloud native core network repository function: 1.15.0, 22.1.0; communications cloud native core network slice selection function: 1.8.0, 22.1.0; communications cloud native core policy: 1.15.0, 22.1.0, 22.1.3; communications cloud native core security edge protection proxy: 1.7.0, 22.1.0; communications cloud native core unified data repository: 1.15.0, 22.1.0; communications communications policy management: 12.6.0.0.0; financial services analytical applications infrastructure: 8.1.1.0, 8.1.2.0; financial services behavior detection platform: 8.1.1.0, 8.1.1.1, 8.1.2.0; financial services enterprise case management: 8.1.1.0, 8.1.1.1, 8.1.2.0; mysql enterprise monitor: v ≤ 8.0.29; product lifecycle analytics: 3.6.1.0; retail xstore point of service: 20.0.1, 21.0.0; sd-wan edge: 9.0, 9.1
Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html

How to patch

Get the fix

Apply the fixed package from your vendor. The advisory lists affected versions and the exact fixed build.

Vendor advisory

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

    1
    Vendor advisory: https://tanzu.vmware.com/security/cve-2022-22963
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2022-22963
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22963
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

Related vulnerabilities