A newly disclosed vulnerability dubbed Spring4Shell or SpringShell affects certain Spring-based Java applications and could allow remote code execution under specific conditions. Reported prerequisites include use of the spring-beans library, Java 9+, and Tomcat 9+; successful exploitation may let an attacker write a malicious payload to disk for later execution. Public proof-of-concept code was released, increasing the risk of opportunistic testing against exposed systems.
The reporting distinguishes Spring4Shell from CVE-2022-22963, which affects Spring Cloud Function and is described as a separate issue rather than the same flaw. At the time covered by the references, there were no official reports of active exploitation in the wild and no official patch yet available, but defenders were provided public mitigation guidance and YARA detection rules to help identify vulnerable deployments and possible exploitation attempts.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Public defensive guidance and YARA rules were shared to help organizations assess exposure and detect possible Spring4Shell exploitation. The same source says no official patch was available at that time.
Public proof-of-concept exploit code for Spring4Shell had been released. At that time, the source says there were no official reports of exploitation in the wild.
The Spring4Shell, also called SpringShell, vulnerability was newly disclosed as affecting certain Spring-based Java applications under specific conditions including Java 9+ and Tomcat 9+. The write-up says exploitation could let an attacker write a malicious payload to disk for later execution.
A distinct vulnerability tracked as CVE-2022-22963 was assigned for a Spring Cloud Function issue. The sources note this CVE is separate from the later Spring4Shell/SpringShell vulnerability.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.