Last updated at Fri, 01 Apr 2022 18:34:29 GMT

CVE-2022-22963 - Spring Cloud Function SpEL RCE

A new exploit/multi/http/spring_cloud_function_spel_injection module has been developed by our very own Spencer McIntyre which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to Spring4Shell CVE-2022-22965, which is a separate vulnerability in the WebDataBinder component of Spring Framework.

This exploit works by crafting an unauthenticated HTTP request to the target application. When the HTTP header is received by the server it will evaluate the user provided SpEL (Spring Expression Language) query, leading to remote code execution. This can be seen within the CVE-2022-22963 Metasploit module:

res = send_request_cgi(
    'method' => 'POST',
    'uri' => normalize_uri(datastore['TARGETURI']),
    'headers' => {
    '' => "T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub("'", "''")}'})"

Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message

New module content (1)

  • Spring Cloud Function SpEL Injection by Spencer McIntyre, hktalent, and m09u3r, which exploits CVE-2022-22963 - This achieves unauthenticated remote code execution by executing SpEL (Spring Expression Language) queries against Spring Cloud Function versions prior to 3.1.7 and 3.2.3.

Bugs fixed (2)

  • #16364 from zeroSteiner - This adds a fix for a crash in auxiliary/spoof/dns/native_spoofer and adds documentation for the module.
  • #16386 from adfoster-r7 - Fixes a crash when running the exploit/multi/misc/java_rmi_server module against at target server, such as Metasploitable2

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).