The Platform

Enable your security and operations teams to proactively identify, prioritize, and remediate exposures to stay ahead of attackers.

Watch a Demo
Use Cases

The CyCognito platform helps you identify all of the attacker-exposed assets in your IT ecosystem for a complete view of your attack surface.

Our Customers

External attack surface management is advancing cybersecurity into a new era. Learn how security experts across all industries benefit from using CyCognito’s platform.

About CyCognito

We believe all organizations should be able to protect themselves from even the most sophisticated attackers.

Contact us

The knowledge you need to manage and protect your attack surface.

What's New Blog

Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965

By Alex Zaslavsky
Sr. Product Manager
April 6, 2022

What is the SpringShell?

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its Known Exploited Vulnerabilities Catalog based on “evidence of active exploitation.”

The critical severity flaw was assigned the identifier CVE-2022-22965 (CVSS score: 9.8) and dubbed “SpringShell”.

The Spring framework provides a comprehensive set of extensions and third-party libraries that let developers build applications.  The Spring Framework is described as the “most widely used lightweight open-source framework for Java.”

How is the vulnerability exposed?

The Spring4Shell or SpringShell vulnerability affects Spring MVC, and Spring WebFlux applications running Java Development Kit (JDK) version 9 and higher, and Apache Tomcat version 9 and higher may be vulnerable to remote code execution (RCE) through data-binding. The application can run Tomcat as a WAR deployment. Applications deployed as a Spring Boot executable jar are not vulnerable.


Proof of Concepts exists suggesting that the vulnerability is exploitable and high risk.

Impacted systems have the following traits: 

  • Running JDK 9.0 or later.
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; 
  • Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
  • Tomcat has spring-web MVC or spring-webflux dependencies.
  • Any system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable.

Also please note that there is a specific configuration (not default)  needed for this vulnerability to be exploited.

Detection and Validation

It is possible to detect exposed Spring Boot servers instances using a favicon hash.

An easy and safe method exists for the identified Spring Boot instances to validate if the instance is exploitable using a simple HTTP request.

More information is available here.

Another detection option is the Nueculi Community Vulnerability Scanner which has a template for detecting the vulnerability, and the template can be found here

CyCognito platform automates the discovery of Spring Boot servers and validates if they are exploitable.

What can CyCognito customers do?

  • To receive a list of assets in your environment that may be affected, contact CyCognito’s Customer Success Team
  • Head to the Advisories dashboard and load the SpringShell advisory.

Stay tuned! CyCognito will continue updating you as more news about this vulnerability unfolds.


Recent Posts

Top Tags

CyCognito Research Report

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk.

Dummies Book

External Exposure & Attack Surface Management For Dummies

As your attack surface has grown to cloud infrastructures and across subsidiaries, attackers are looking for and finding unknown and unmanaged assets to serve as their entry points.

Interactive Demo

Ready to Rule Your Risk?

Request a personalized walkthrough of the CyCognito platform to see how we can help your company identify all its assets exposed to the internet, focus on which are most vulnerable to attacks, and accelerate your time to remediating critical risks.