Cyber Resilience

CVE-2022-22963

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 01 April 2022

Published
01 April 2022
Modified
30 October 2025
KEV Added
25 August 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9446 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22963 is a critical-severity Code Injection (CWE-94) vulnerability in Oracle Communications Cloud Native Core Network Function Cloud Native Environment. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-22963 is a remote code execution vulnerability affecting Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported releases. It occurs in the routing functionality when an attacker supplies a malicious Spring Expression Language (SpEL) expression as the routing-expression, which is then evaluated without adequate restrictions. The flaw is tracked under CWE-94 and CWE-917 and carries a CVSS 3.1 base score of 9.8.

Unauthenticated remote attackers can exploit the issue over the network by sending a crafted HTTP request containing the malicious SpEL payload. Successful exploitation grants arbitrary code execution on the server and access to local resources, with no user interaction or privileges required.

Public advisories from VMware Tanzu, Oracle, Cisco, and SonicWall describe the affected versions and direct users to upgrade to patched releases of Spring Cloud Function. Additional technical details and indicators are referenced in security bulletins linked from those vendors.

The CVE maintains very high EPSS scores, with a current value of 0.9446 and a recorded peak of 0.9755; public exploit code has also been posted to sites such as PacketStorm.

EU & UK References

Vulnerability details

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to…

more

local resources.

CWE(s)
KEV Date Added
25 August 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
spring cloud function
≤ 3.1.6 · 3.2.0 — 3.2.2
oracle
banking branch
14.5
oracle
banking cash management
14.5
oracle
banking corporate lending process management
14.5
oracle
banking credit facilities process management
14.5
oracle
banking electronic data exchange for corporates
14.5
oracle
banking liquidity management
14.2, 14.5
oracle
banking origination
14.5
oracle
banking supply chain finance
14.5
oracle
banking trade finance process management
14.5
+18 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all input (including routing-expression parameters) to reject malicious SpEL payloads before they reach the expression parser.

prevent

Enforces disabling or restricting the routing functionality (an unneeded capability) so that SpEL expression evaluation is never exposed to untrusted input.

prevent

Mandates timely application of vendor patches that remove the unsafe SpEL routing path entirely from affected Spring Cloud Function versions.

References