What is CVE-2022-22965?

CVE-2022-22965 is a critical remote code execution vulnerability affecting VMware's Spring Framework. Organizations using vulnerable versions should take immediate action to patch and secure their applications.

What is the severity of CVE-2022-22965?

CVE-2022-22965 has a severity rating of CRITICAL with a CVSS base score of 9.8.

Is CVE-2022-22965 in CISA KEV?

Yes. CVE-2022-22965 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

CVE-2022-22965 | Critical Vulnerability in VMware Spring Framework

CVE-2022-22965 is a critical vulnerability that allows remote code execution (RCE) in Spring MVC or Spring WebFlux applications running on JDK 9 or higher. The specific exploit requires the application to be deployed on Tomcat as a WAR file, but there could be other potential exploit paths. Given its CVSS score of 9.8, this vulnerability poses a significant threat to organizations, particularly if they are using the affected software in production environments.

The risk to organizations includes unauthorized access and manipulation of application data, which could lead to further exploitation within the network. The urgency for defenders is critical, as this vulnerability is included in the Known Exploited Vulnerabilities (KEV) catalog, meaning it is actively being targeted by attackers.

Organizations should prioritize patching immediately. VMware has provided updates and guidance to mitigate this vulnerability, and it is crucial for all users of the Spring Framework to review their deployment configurations and apply necessary patches.

Additionally, organizations should assess their overall security posture and consider implementing robust monitoring and response strategies to detect potential exploitation attempts.

Vulnerability Details

The official description of CVE-2022-22965 states that a Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The exploit requires the application to run on Tomcat as a WAR deployment. If deployed as a Spring Boot executable jar, it is not vulnerable. However, the nature of the vulnerability suggests other potential exploit methods.

This vulnerability is classified under CWE-94 (Improper Control of Generation of Code ('Code Injection')). The CVSS score is 9.8, indicating a critical severity level, with high impacts on confidentiality, integrity, and availability.

Technical Analysis

The root cause of this vulnerability lies in how Spring handles data binding, particularly when applications are deployed in a specific configuration on Tomcat. Attackers may exploit this vulnerability over the network, leveraging low attack complexity and requiring no privileges or user interaction. The potential impacts include high confidentiality, integrity, and availability risks.

Risk & Impact Analysis

The real-world risk associated with CVE-2022-22965 is substantial, especially for organizations that deploy applications on Tomcat without adequate security measures. The blast radius could be considerable, impacting sensitive data and critical systems. The urgency is underscored by its inclusion in active exploitation catalogs, with the EPSS score indicating a very high probability of exploitation.

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	Yes
Ransomware Use	No

Affected Versions

The vulnerability affects VMware Spring Framework versions before 5.2.20 and between 5.3.0 and 5.3.18. Other components such as Cisco's CX Cloud Agent and various Oracle cloud solutions are also impacted.

Mitigation & Remediation

Organizations should apply the latest patches from VMware for the Spring Framework to secure their applications. The recommended action is to upgrade to the fixed versions specified by the vendor. For ongoing protection, implementing security best practices such as application firewalls and regular security assessments is advised.

For additional guidance, organizations can refer to the penetration testing services that can help identify vulnerabilities in their applications.

Detection Guidance

To detect potential exploitation attempts, organizations should monitor application logs for unusual data binding requests and unexpected code execution patterns. Additionally, implementing behavioral anomaly detection can help identify unauthorized activities within the application.

AppSecure Threat Intelligence Insight

CVE-2022-22965 reflects a growing trend in vulnerabilities associated with data binding in web frameworks. Security teams must prioritize secure coding practices and conduct regular penetration testing to uncover similar vulnerabilities. As the threat landscape evolves, organizations should stay updated on emerging vulnerabilities and enhance their defensive strategies.

For comprehensive security assessments, consider our application security assessment services to proactively identify and mitigate risks.

Moreover, organizations should implement continuous monitoring and consider adopting a continuous penetration testing approach to stay ahead of potential threats.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2022-22965: Critical Vulnerability in VMware Spring Framework