Cyber Resilience

CVE-2022-22965

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 01 April 2022

Published
01 April 2022
Modified
30 October 2025
KEV Added
04 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9968 99.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2022-22965 is a critical-severity Code Injection (CWE-94) vulnerability in Veritas Netbackup Appliance. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2022-22965 is a remote code execution vulnerability affecting Spring MVC or Spring WebFlux applications running on JDK 9 or later. The flaw stems from unsafe data binding that permits attackers to manipulate class properties, leading to arbitrary code execution. The most direct exploit path requires the application to be deployed as a WAR on Tomcat; Spring Boot executable JAR deployments are not susceptible to the published attack vector, although the underlying issue is described as more general.

Unauthenticated remote attackers can exploit the vulnerability over the network to achieve full code execution, compromising confidentiality, integrity, and availability. Public proof-of-concept exploits have been released that target the data-binding mechanism in vulnerable configurations, enabling attackers to load and execute malicious classes without authentication or user interaction.

Vendor advisories from VMware Tanzu, Siemens, and SonicWall outline mitigation steps including framework upgrades and configuration changes to restrict data binding. The associated EPSS score remains elevated, with a current value of 0.9443 and a recorded peak of 0.9754, indicating sustained exploitation interest following disclosure. Public exploit code is available on PacketStorm.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is…

more

deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

CWE(s)
KEV Date Added
04 April 2022

Related Threats

CVEs Like This One

CVE-2026-20045Same vendor: Ciscoboth on KEV
CVE-2025-37164Shared CWE-94both on KEV
CVE-2026-1281Shared CWE-94both on KEV
CVE-2026-1340Shared CWE-94both on KEV
CVE-2025-23209Shared CWE-94both on KEV
CVE-2025-54068Shared CWE-94both on KEV
CVE-2025-49704Shared CWE-94both on KEV
CVE-2025-6204Shared CWE-94both on KEV
CVE-2025-24893Shared CWE-94both on KEV
CVE-2026-34197Shared CWE-94both on KEV

Affected Assets

vmware
spring framework
≤ 5.2.20 · 5.3.0 — 5.3.18
cisco
cx cloud agent
≤ 2.1.0
oracle
communications cloud native core automated test suite
1.9.0, 22.1.0
oracle
communications cloud native core console
1.9.0, 22.1.0
oracle
communications cloud native core network exposure function
22.1.0
oracle
communications cloud native core network function cloud native environment
1.10.0, 22.1.0
oracle
communications cloud native core network repository function
1.15.0, 22.1.0
oracle
communications cloud native core network slice selection function
1.15.0, 1.8.0, 22.1.0
oracle
communications cloud native core policy
1.15.0, 22.1.0
oracle
communications cloud native core security edge protection proxy
1.7.0, 22.1.0
+28 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the data-binding vector by enforcing strict validation and sanitization of untrusted input before it reaches Spring's property binding logic.

prevent

Limits the application's attack surface by disabling unnecessary Tomcat WAR deployment features and restricting the classes or packages that can be loaded via data binding.

prevent

Ensures the Spring application process runs with minimal OS and JVM privileges so that successful RCE cannot easily achieve full system compromise.

References