Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Trustwave’s Action Response: CVE-2022-22965 and CVE-2022-22963

Update 4/1: This blog was updated to reflect the release of IDS and ModSecurity rules.

Update 4/5: CISA has added CVE-2022-22965 to its Known Exploited Vulnerabilities Catalog due to "evidence of active exploitation." The organization has warned the community of multiple reports of malicious scanning activity.

Summary of Trustwave Actions: 

Trustwave security and engineering teams are actively investigating the vulnerabilities CVE-2022-22965 (also referenced by other vendors as Spring4Shell / SpringShell) and CVE-2022-22963 and potential exploits. We are diligently watching over our clients for exposure and associated attacks and are taking action with approved mitigation efforts. 

At this time, Trustwave infrastructure and products have not been adversely affected by the vulnerabilities / exploits. We are continuing to monitor our own infrastructure and products as more information becomes available.  

Trustwave is working closely with its technology alliance partners to confirm if products utilized in client environments are protected against any potential exploits of CVE-2022-22965 and CVE-2022-22963. Trustwave is initiating software and policy updates to protect and detect exploitation of these vulnerabilities for clients.  

Trustwave will be conducting ongoing actions as vendors release software and additional policy updates. Such activity will be communicated to clients through Fusion cases and change tickets. 

Trustwave MDR Advanced Clients:

The Trustwave SpiderLabs Threat Hunt Team has investigated the vulnerabilities and will continue to monitor for developing attacks. 

CVE-2022-22965: Impact, Dangers and Mitigation

CVE-2022-22965 is a confirmed RCE vulnerability in Spring Core <=5.3.17 (for 5.3.x) and <=5.2.19 (for 5.2.x). This vulnerability is a class manipulation vulnerability and is currently being discussed publicly as Spring4Shell or SpringShell. It appears to be a bypass of protections set up for CVE-2010-1622 ( 

Other mitigating factors will define whether or not a server running on Spring Core is vulnerable. Currently, the only verified-vulnerable instances require the use of Spring MVC or Spring WebFlux applications (spring-webmvc or spring-webflux) running under JDK version 9 and newer. Additionally, Spring Core needs to run under Apache Tomcat as a WAR deployment. JAR deployments are not currently known to be vulnerable.  

Additionally, Class Loader Manipulation vulnerabilities can be very complicated and have many mitigating factors, so it's still unclear how many real-world implementations may be vulnerable or whether the scope of this vulnerability will expand to other implementations. 

Spring Framework versions 5.3.18 and 5.2.20, which address the vulnerability, are now available ( 

CVE-2022-22963: Impact, Dangers and Mitigation

CVE-2022-22963 is a second confirmed RCE vulnerability in Spring. However, rather than Spring Core, this affects Spring Cloud Function, which is not in the default Spring Framework. It affects Spring Cloud Function <=3.1.6 (for 3.1.x) and <=3.2.2 (for 3.2.x). This vulnerability affects the Spring Expression Language (SpEL). An attacker can pass arbitrary code to SpEL via a HTTP parameter named as that parameter goes unvalidated by the Cloud Function. 

This vulnerability is comparatively easier to exploit (subject to certain variables) and can be done via common tools like curl and Burp. However, it seems that the number of hosts using Spring Cloud Function is far fewer than Spring Core itself, which should limit the attack surface. 

Spring Cloud Function versions 3.1.7 and 3.2.2, which address the vulnerability, are now available ( 

Trustwave Product Protections:

  • Trustwave has released an IDS rule push with coverage for both CVEs (two for CVE-2022-22963 and three for CVE-2022-22965).
  • The Trustwave Vulnerability Assessment Team (VAT) team is currently developing a Carrier check, which will be available April 4.
  • The ModSecurity commercial ruleset has released out of band updates with coverage for both CVEs.

General Recommendations for Limiting the Impact of Vulnerabilities: 

  • Manage Your Assets: Depending on the software you are running, not every instance of a zero-day is likely to affect you. An organization should conduct ongoing asset inventory and vulnerability assessments, then uninstall any software that is no longer needed. For software still required, disable any features that are not necessary. This action should decrease your potential attack surface and may eliminate the impact of certain zero-days that target the removed software or the disabled features. 
  • Break the Attack Kill Chain: A successful compromise involves many phases, which may be beneficial as it gives opportunities to thwart an incursion before it can inflict maximum damage. To accomplish this, however, organizations should continuously monitor their network. Monitoring can be conducted by deploying a full stack of intelligent security products, using generic, behavior, and heuristic-based approaches to threat visibility and detection. Organizations should also utilize threat hunting to search systems for vulnerabilities actively. This activity should help prevent attackers that use zero-day vulnerabilities from gaining initial entry and residing for extended periods in a network. 
  • Patch, Patch and Patch: Patching after a zero-day has impacted an organization may not stop that attack, but can still be important to verify all available fixes have been applied. The zero-day may rely on other components to complete its attack. For example, a local privilege-escalation zero-day may exist, but if the system is patched against a remote-code execution vulnerability that is used in tandem with the zero-day, major harm may be avoided. In addition, remember that once the zero-day receives a fix, attackers will still exploit it - and those that are tardy to the patch party may be in for a rude surprise. 
  • Stay Informed: System Admins should keep an eye on not only their systems but on the global news as zero-day activity, along with other types of attacks, often make headlines. In addition, employees should be trained and made aware that their actions can have negative consequences. This includes clicking on a malicious link that could trigger a zero-day. While perfect behavior is impossible, it's still important to rely on workers, especially if the security products in place do not provide the proactive defense needed to address today's threats. And remember, security awareness programs don't need to be agonizingly boring - effective lessons get creative and use stories to motivate the troops. 


Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More