CVE DATABASE / CVE-2022-22963
CVE-2022-22963
VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
CVSS 9.8 · CRITICAL
⚠ CISA KEV — ACTIVELY EXPLOITED
On the CISA KEV catalog
Confirmed exploited in the wild. Added 2022-08-25.
Federal remediation due 2022-09-15.
Required action: Apply updates per vendor instructions.
Summary
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
CVSS 3.1 breakdown
| Base score | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Vmware spring cloud functionOracle banking branchOracle banking cash managementOracle banking corporate lending process managementOracle banking credit facilities process managementOracle banking electronic data exchange for corporatesOracle banking liquidity managementOracle banking originationOracle banking supply chain financeOracle banking trade finance process managementOracle banking virtual account managementOracle communications cloud native core automated test suiteOracle communications cloud native core consoleOracle communications cloud native core network exposure functionOracle communications cloud native core network function cloud native environmentOracle communications cloud native core network repository functionOracle communications cloud native core network slice selection functionOracle communications cloud native core policyOracle communications cloud native core security edge protection proxyOracle communications cloud native core unified data repository
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
- https://tanzu.vmware.com/security/cve-2022-22963
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22963
Data: NIST NVD + CISA KEV. NVD last modified 2025-10-30. Always verify against the vendor advisory before acting.