CVE-2022-22965
Published: 01 April 2022
Summary
CVE-2022-22965 is a critical-severity Code Injection (CWE-94) vulnerability in Veritas Netbackup Appliance. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2022-22965 is a remote code execution vulnerability affecting Spring MVC or Spring WebFlux applications running on JDK 9 or later. The flaw stems from unsafe data binding that permits attackers to manipulate class properties, leading to arbitrary code execution. The most direct exploit path requires the application to be deployed as a WAR on Tomcat; Spring Boot executable JAR deployments are not susceptible to the published attack vector, although the underlying issue is described as more general.
Unauthenticated remote attackers can exploit the vulnerability over the network to achieve full code execution, compromising confidentiality, integrity, and availability. Public proof-of-concept exploits have been released that target the data-binding mechanism in vulnerable configurations, enabling attackers to load and execute malicious classes without authentication or user interaction.
Vendor advisories from VMware Tanzu, Siemens, and SonicWall outline mitigation steps including framework upgrades and configuration changes to restrict data binding. The associated EPSS score remains elevated, with a current value of 0.9443 and a recorded peak of 0.9754, indicating sustained exploitation interest following disclosure. Public exploit code is available on PacketStorm.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1283
Vulnerability details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is…
more
deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
- CWE(s)
- KEV Date Added
- 04 April 2022
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the data-binding vector by enforcing strict validation and sanitization of untrusted input before it reaches Spring's property binding logic.
Limits the application's attack surface by disabling unnecessary Tomcat WAR deployment features and restricting the classes or packages that can be loaded via data binding.
Ensures the Spring application process runs with minimal OS and JVM privileges so that successful RCE cannot easily achieve full system compromise.