Cyber Resilience

CVE-2022-22947

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 03 March 2022

Published
03 March 2022
Modified
30 October 2025
KEV Added
16 May 2022
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9446 100.0th percentile
Risk Priority 97 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22947 is a critical-severity Code Injection (CWE-94) vulnerability in Oracle Communications Cloud Native Core Network Repository Function. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).

Deeper analysis

CVE-2022-22947 is a code injection vulnerability affecting Spring Cloud Gateway versions prior to 3.1.1 and 3.0.7. It arises when the Gateway Actuator endpoint is enabled, exposed, and left unsecured, allowing specially crafted requests to inject and execute arbitrary code due to improper handling of input in expression language evaluation (CWE-94 and CWE-917).

A remote attacker with no authentication can send a malicious HTTP request to the exposed actuator endpoint and achieve arbitrary remote code execution on the host with full confidentiality, integrity, and availability impact, as reflected in the CVSS 10.0 score.

Advisories from VMware Tanzu and Oracle list the fixed versions and urge operators to upgrade Spring Cloud Gateway to 3.1.1 or later (or 3.0.7 or later) while ensuring the actuator endpoint is not publicly reachable without proper access controls.

The EPSS score has reached a peak of 0.9755 with a current value of 0.9446, indicating sustained high exploitation interest after disclosure. Public proof-of-concept exploits have been posted to Packet Storm.

EU & UK References

Vulnerability details

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could…

more

allow arbitrary remote execution on the remote host.

CWE(s)
KEV Date Added
16 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
spring cloud gateway
3.1.0 · ≤ 3.0.7
oracle
commerce guided search
11.3.2
oracle
communications cloud native core binding support function
1.11.0, 22.1.3
oracle
communications cloud native core console
22.2.0
oracle
communications cloud native core network exposure function
22.1.0
oracle
communications cloud native core network function cloud native environment
1.10.0
oracle
communications cloud native core network repository function
1.15.0, 1.15.1, 22.1.2, 22.2.0
oracle
communications cloud native core network slice selection function
1.8.0, 22.1.0
oracle
communications cloud native core security edge protection proxy
22.1.1
oracle
communications cloud native core service communication proxy
1.15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authentication and authorization on the exposed Gateway Actuator endpoint so that unauthenticated attackers cannot submit malicious requests.

prevent

Requires disabling or restricting non-essential actuator endpoints and features, directly eliminating the attack surface described in the CVE.

prevent

Mandates prompt application of vendor patches that remove the code-injection flaw in Spring Cloud Gateway < 3.0.7/3.1.1.

References