CVE-2022-22965

CVE Database · CVE-2022-22965

CVE-2022-22965

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

99.68%

Published

Apr 1, 2022

Modified

Oct 30, 2025

CISA Known Exploited Vulnerability

Added: 2022-04-04 · Due: 2022-04-25

Apply updates per vendor instructions.

Public PoC / Exploit (10)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCBobTheShoplifter/Spring4Shell-POC★377 GitHub PoCreznok/Spring4Shell-POC★324 GitHub PoCtpt11fb/SpringVulScan★154 GitHub PoCTheGejr/SpringShell★131 GitHub PoCzangcc/CVE-2022-22965-rexbb★102 GitHub PoCalt3kx/CVE-2022-22965★101 GitHub PoCSecNN/SpringFramework_CVE-2022-22965_RCE★72 GitHub PoC4nth0ny1130/spring4shell_behinder★63

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-94CWE-94

Affected Products (98)

vmware · spring_framework (up to 5.2.20)vulnerable

vmware · spring_framework (up to 5.3.18)vulnerable

oracle · jdk

cisco · cx_cloud_agent (up to 2.1.0)vulnerable

oracle · communications_cloud_native_core_automated_test_suitevulnerable

oracle · communications_cloud_native_core_consolevulnerable

oracle · communications_cloud_native_core_network_exposure_functionvulnerable

References (18)

http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html

Third Party AdvisoryVDB Entry

https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf

PatchThird Party Advisory

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005

Third Party Advisory

https://tanzu.vmware.com/security/cve-2022-22965

MitigationVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs

oracle · communications_cloud_native_core_network_function_cloud_native_environment

oracle · communications_cloud_native_core_network_function_cloud_native_environmentvulnerable

oracle · communications_cloud_native_core_network_repository_functionvulnerable

oracle · communications_cloud_native_core_network_slice_selection_functionvulnerable

oracle · communications_cloud_native_core_policyvulnerable

oracle · communications_cloud_native_core_security_edge_protection_proxyvulnerable

oracle · communications_cloud_native_core_unified_data_repositoryvulnerable

oracle · communications_policy_managementvulnerable

oracle · financial_services_analytical_applications_infrastructurevulnerable

oracle · financial_services_behavior_detection_platformvulnerable

oracle · financial_services_enterprise_case_managementvulnerable

oracle · mysql_enterprise_monitor (up to 8.0.29)vulnerable

oracle · product_lifecycle_analyticsvulnerable

oracle · retail_xstore_point_of_servicevulnerable

oracle · sd-wan_edgevulnerable

siemens · operation_scheduler (up to 2.0.4)vulnerable

siemens · sipass_integratedvulnerable

siemens · siveillance_identityvulnerable

veritas · access_appliancevulnerable

veritas · flex_appliancevulnerable