Cybersecurity Briefing — Spring4Shell CVE-2022-22965 remote code execution

VMware’s Spring team disclosed CVE-2022-22965 (Spring4Shell) on 31 March 2022, a remote code execution flaw affecting Spring MVC/WebFlux apps on JDK 9+, prompting patch releases and urgent mitigation for Java web workloads.

Zeph Tech Research Lead

Research lead, Zeph Tech

Publication date and credibility emphasis for this briefing. Source data (JSON)

The Spring maintainers confirmed CVE-2022-22965 on 31 March 2022 after exploit code surfaced, enabling remote code execution on certain Spring MVC or WebFlux applications running on JDK 9 or later. The vulnerability stems from unsafe data binding in the DefaultDataBinder when deployed on Tomcat with specific conditions.

Spring issued patched versions 5.3.18 and 5.2.20 and published mitigations (e.g., setting DisallowedFields) for systems unable to update immediately. Teams were urged to inventory Java services, update to fixed releases, and verify runtime protections against RCE payloads.

VMware security advisory documents impacted configurations, severity, and recommended upgrades.
Spring project announcement provides patch versions, workaround guidance, and scope details for administrators.

Single-point timeline showing the publication date sized by credibility score. — Publication date and credibility emphasis for this briefing. Source data (JSON)

Visit pillar hub

Latest guides

Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

Related briefings

Security Incident Briefing — December 9, 2021

Cybersecurity Retrospective Briefing — March 15, 2022

Cybersecurity Briefing — SEC proposes rapid cyber incident disclosure

CISA Raises Shields Up Guidance — February 24, 2022

Cybersecurity Directive Political Agreement — May 13, 2022

Continue in the Cybersecurity pillar

Latest guides