CVE-2022-22963

Name: CVE-2022-22963
Creator: NVD / NIST
Published: 2022-04-01T23:15:13.663+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10Actively ExploitedEPSS 99.94%

Last modified Jun 17, 2026

CVE-2022-22963 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.. CISA has confirmed active exploitation in the wild. EPSS estimates a 99.94% chance of exploitation in the next 30 days.

Description

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

99.94%

100.0th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Sep 15, 2022.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Vmware	Spring Cloud Function	<= 3.1.6
Vmware	Spring Cloud Function	>= 3.2.0, <= 3.2.2
Oracle	Banking Branch	14.5
Oracle	Banking Cash Management	14.5
Oracle	Banking Corporate Lending Process Management	14.5
Oracle	Banking Credit Facilities Process Management	14.5
Oracle	Banking Electronic Data Exchange For Corporates	14.5
Oracle	Banking Liquidity Management	14.2
Oracle	Banking Liquidity Management	14.5
Oracle	Banking Origination	14.5
Oracle	Banking Supply Chain Finance	14.5
Oracle	Banking Trade Finance Process Management	14.5
Oracle	Banking Virtual Account Management	14.5
Oracle	Communications Cloud Native Core Automated Test Suite	1.9.0
Oracle	Communications Cloud Native Core Automated Test Suite	22.1.0
Oracle	Communications Cloud Native Core Console	1.9.0
Oracle	Communications Cloud Native Core Console	22.1.0
Oracle	Communications Cloud Native Core Network Exposure Function	22.1.0
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	1.10.0
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	22.1.0
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	22.1.2
Oracle	Communications Cloud Native Core Network Repository Function	1.15.0
Oracle	Communications Cloud Native Core Network Repository Function	22.1.0
Oracle	Communications Cloud Native Core Network Slice Selection Function	1.8.0
Oracle	Communications Cloud Native Core Network Slice Selection Function	22.1.0
Oracle	Communications Cloud Native Core Policy	1.15.0
Oracle	Communications Cloud Native Core Policy	22.1.0
Oracle	Communications Cloud Native Core Policy	22.1.3
Oracle	Communications Cloud Native Core Security Edge Protection Proxy	1.7.0
Oracle	Communications Cloud Native Core Security Edge Protection Proxy	22.1.0
Oracle	Communications Cloud Native Core Unified Data Repository	1.15.0
Oracle	Communications Cloud Native Core Unified Data Repository	22.1.0
Oracle	Communications Communications Policy Management	12.6.0.0.0
Oracle	Financial Services Analytical Applications Infrastructure	8.1.1.0
Oracle	Financial Services Analytical Applications Infrastructure	8.1.2.0
Oracle	Financial Services Behavior Detection Platform	8.1.1.0
Oracle	Financial Services Behavior Detection Platform	8.1.1.1
Oracle	Financial Services Behavior Detection Platform	8.1.2.0
Oracle	Financial Services Enterprise Case Management	8.1.1.0
Oracle	Financial Services Enterprise Case Management	8.1.1.1
Oracle	Financial Services Enterprise Case Management	8.1.2.0
Oracle	Mysql Enterprise Monitor	<= 8.0.29
Oracle	Product Lifecycle Analytics	3.6.1.0
Oracle	Retail Xstore Point Of Service	20.0.1
Oracle	Retail Xstore Point Of Service	21.0.0
Oracle	Sd-Wan Edge	9.0
Oracle	Sd-Wan Edge	9.1

References

http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.htmlExploit, Third Party Advisory, VDB Entry
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005Third Party Advisory
https://tanzu.vmware.com/security/cve-2022-22963Vendor Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxHThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.htmlExploit, Third Party Advisory, VDB Entry
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005Third Party Advisory
https://tanzu.vmware.com/security/cve-2022-22963Vendor Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxHThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22963US Government Resource

Timeline

Published: Apr 1, 2022
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2022-22963?

How severe is CVE-2022-22963?

CVE-2022-22963 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 99.94% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2022-22963?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-22963?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST