SpringShell-Break 2022

Share This Post

VMWare announced their Spring Framework, in the right configuration, is vulnerable to Remote Code Execution. Spring MVC (Model-View-Controller) or Spring WebFlux applications running on JDK9+ may be vulnerable to RCE via data binding. This vulnerability currently has only been confirmed on applications running on Tomcat as a WAR deployment (this has likely changed at time of publish, as more applications are being noted as vulnerable, both VMware and Cisco have announced vulnerabilities). The default deployment as a Spring Boot executable jar is not vulnerable though. VMWare has stated that there may be other ways to exploit the vulnerability that just haven’t been identified yet. This vulnerability affects all Spring Framework versions 5.3.0-5.3.17, 5.2.0-5.2.17, and even older unsupported versions.

VMWare CVE-2022-22965: https://tanzu.vmware.com/security/cve-2022-22965

To mitigate the vulnerability you should upgrade to 5.3.18+(for 5.3.X users) or 5.2.20+(for 5.2.X users). If you are running applications that cannot upgrade to these versions, please check the mitigation steps that were provided in the Suggested Workarounds section on the RCE-Early-Announcement blog post from spring.

Spring RCE Early Announcement: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement



Reach out to our incident response team for help

More To Explore

Information Security News – 6/23/2025

Law Enforcement Takedowns Disrupt Cybercrimes Across the Globe Article Link: https://cyberscoop.com/cybercrime-crackdown-operation-endgame-operation-secure/   Microsoft 365 to Block File Access Via Legacy Auth by Default Article link:

Information Security News – 6/16/2025

Grocery Wholesale Giant United Natural Foods Hit by Cyberattack Article Link: https://www.bleepingcomputer.com/news/security/grocery-wholesale-giant-united-natural-foods-hit-by-cyberattack/ The Worsening Landscape of Educational Cybersecurity Article Link: https://blog.knowbe4.com/the-worsening-landscape-of-educational-cybersecurity Gov. Abbott Signs Texas

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.