SpringShell Remote Code Execution Vulnerability

A closer look at CVE-2022-22965


The Spring Framework is a platform that provides a comprehensive architecture for Model-View-Controller-based (MVC) applications designed to decrease manual configuration and improve memory management. Implementing some design patterns uniformly makes the code more reusable and easy to maintain. This is the driving factor behind using the Spring framework to develop Enterprise-level spring boot and spring cloud applications.

The recent vulnerability CVE-2022-22965 points out that Data Binding might expose a Spring MVC or Spring WebFlux application running on Java Development Kit 9+ (JDK) vulnerable to Remote Code Execution (RCE). The exploit requires the program to execute as a Web Application Resource (WAR) deployment on Tomcat.

The program is not vulnerable to the exploit if it is deployed using the default Spring Boot executable jar. However, the vulnerability can be exploited through various approaches by a TA who is familiar with it.

The SpringShell or CVE-2022-22965 vulnerability circumvents the fix for a previous vulnerability CVE-2010-1622, allowing it to be exploited once more.

The patch for CVE-2010-1622 can be bypassed because Java Development Kit (JDK) versions 9 and above have two sandbox restriction methods, which enable exploitation.

If the below conditions are satisfied, a remote attacker can access an AccessLogValve object. This is done via the parameters of the framework’s binding feature using malicious field values to trigger pipeline mechanisms and write to files in arbitrary locations.

Prerequisites for exploitation of the vulnerability require the victim system to be running:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

Technical Analysis

When specific objects or classes are accessible under certain conditions, a vulnerability is created. Request parameters are frequently bound to a Plain Old Java Object (POJO) that is not annotated with RequestBody. This aids in the extraction of parameters from HTTP requests.

The RequestBody annotation is used to indicate whether a method parameter should be bound to the body of the HTTP request. 

An attacker can trigger the flaw by using the Spring framework’s getCachedIntrospectionResults function, incorrectly exposing the class object while binding the parameters shown in the original proof of concept script. Refer Figure 1.

Figure 1 – Screenshot from the original POC code post

By including the class variable in the requests, malicious actors can gain direct access to an object. As a result, by just following the property chains, they can access a surplus of additional valuable objects on the system.

The attacker can make changes to AccessValveLog by creating a .jsp file in the service’s root directory.

The properties mentioned below can be modified by an attacker, as shown in Figures 2 & 3:

Directory: The location of the access log relative to Tomcat’s root directory. This can be altered to point to a location accessible via HTTP requests – such as the directory of the web application.

Prefix: The name of the access log file’s prefix.

Suffix: The suffix of the name of the access log file. The log file’s name is a combination of the prefix and the suffix.

Pattern: A string that describes the structure of a log record. This can be adjusted so that each entry has a JSP web shell.

FileDateFormat: Setting this causes the new access log settings to take effect.

Figure 2 – Original Proof Of Concept code post

Figure 3 – Screenshot from the original POC code post

The .jsp file now contains a payload with a password-protected web shell in the format shown in Figure 4, allowing the attacker to execute further commands.

Figure 4 – Screenshot from the original POC code post

Cyble Research Lab’s Global Sensor Intelligence network indicated malicious activity linked to the SpringShell vulnerability (CVE-2022-22965). The heat map below depicts the geographic distribution of the scanner IP addresses that we have observed thus far. Our analysis indicates that the United States is being heavily targeted, followed by the Netherlands and Germany by TAs leveraging this vulnerability.

Figure 5 – Heat map of SpringShell

SpringShell is used to inject a JSP web shell into the web root of the web server via a specially designed request, allowing threat actors to remotely execute commands on the server.

It was observed that threat actors leverage their remote access to download and execute Mirai to the “/tmp” folder, as shown in Figure 6.

Figure – 6 Request and Commands used for Mirai (Trend Micro)

The Threat Actors behind SpringShell download numerous Mirai samples for different CPU architectures and run them using the script, as shown in Figure 6.

Figure – 7 script retrieved from a malicious server (Trend Micro)


Until this month, various Mirai botnets were among the few persistent exploiters of the Log4Shell (CVE-2021-44228) vulnerability, utilizing the bug in the widely used Log4j software to recruit affected devices into its DDoS botnet. It is probable that botnet operators are currently experimenting with other vulnerabilities that could have a significant impact, such as SpringShell, to gain access to new device pools.

These assaults could potentially expose the victim to ransomware attacks and data breaches. Thus, Mirai resource hijacking for denial of service or crypto-mining appears relatively innocuous in comparison.


  • Upgrade to the latest Spring framework version.
  • Upgrade Apache Tomcat to the latest released versions 10.0.20, 9.0.62, and 8.5.78, which rectify the attack vector on Tomcat’s side.
  • Upgrade to spring framework 5.3.18 and 5.2.20, which contain the fixes, have been released.
  • Downgrade to Java 8 as a viable workaround if upgrading the Spring Framework or Apache Tomcat is not viable.
  • Keep operating systems and application software up to date.
  • Use a strong password policy.
  • Cyber security awareness training programs are a must for employees of the organization.

Indicators of Compromise (IOCs)  

IndicatorsIndicator TypeDescription
ba4393846787f1be224b088798d25d523567a94a, 136c2a3d4202b27259d5c99f43247ba12c09157026a812d1899e82c103d41ef9
SHA -256}
SpringShell Exploit
d9c25d2dfd9cdfde6dbf005cb80b8c19d9dfe69b, 9389c61bd1069674215678a72f02b0951f3e74d9e4d2c9ce58d58f3a15d91ae4
SHA -256}
SpringShell Exploit
1b64cb331a37bd2c858f042ebc3617f4c15f08b0,  f23259498b67d7a70904d25453b2deeb23719fca0fadf925f69feacae758a44e
SHA -256}
SpringShell Exploit
f8ff2ec0f839970aadd41f78d993699380bbef38, b95017be689384eec9f3800f712ce2b6003893afeac507c7da70330fe75dd216
SHA -256}
SpringShell Exploit
c2f04ab5e0f744c06ce401342e123844d96ff2a0, 4f19caf78b58d7ec120f91165c9e21fdc9a7e75c01b1b7af234c31b871781c41
SHA -256}
SpringShell Exploit
247f484f62342fbdb324799d500f060000b73197, 2dd7d5d9ff525732d7730e205c4e85005ff79395e1ecbc69071fd82d4426b37f
{MD5,  SHA-1,
SHA -256}
SpringShell Exploit
d0af2d07398aa504d83c2507249b99835a240c9f, 35cf4e1eb657b53d77b331faee7d6e48f73acd136eed9ccfda60abc1033c6166
SHA -256}
SpringShell Exploit
d50a107458a043e117ad72fa32cf7454c0150eae, e3d86c64a3c5b83cb8252fc9c68aaf95857a9421ddb5c0f49d7d126242e70b02
SHA -256}
SpringShell Exploit        IP addresses 

Generic signatures and Rules

Yara Rules:

Figure – 8 Yara rules for SpringShell


  1. SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965 – Microsoft Security Blog
  2. CVE-2022-22965 Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware (
Scroll to Top