Microsoft detects Spring4Shell attacks in its cloud services


Microsoft said it is currently following a “low volume of exploits” targeting the critical Spring4Shell (aka SpringShell) remote code execution (RCE) vulnerability in its cloud services.

The Spring4Shell vulnerability (tracked as CVE-2022-22965) affects the Spring Framework, which has been described as the “most widely used lightweight open-source framework for Java”.

“Microsoft regularly monitors attacks against our cloud infrastructure and services to better defend them,” said the Microsoft 365 Defender Threat Intelligence Team.

“Since the announcement of the Spring Core vulnerability, we have tracked a low rate of exploits in our cloud services for Spring Cloud and Spring Core vulnerabilities.”

Spring4Shell abused to deploy web shells

Microsoft further explained in their report Monday that attackers can exploit this Spring Core security flaw by sending specially crafted queries to servers running the Spring Core framework to create web shells in the Tomcat root.

Threat actors can then use this web shell to execute commands on the compromised server.

While some have compared the severity level of this security bug to Log4Shell, a vulnerability in the ubiquitous Apache Log4j Java-based logging library, this isn’t necessarily true, as Spring4Shell only affects systems with a very specific configuration:

Running JDK 9.0 or later Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and earlier Apache Tomcat as the Servlet container Packaged as a Java Traditional Web Archive (WAR) and deployed in a standalone Tomcat instance ; typical Spring Boot implementations with a built-in Servlet container or reactive web server are not affected Tomcat has spring-webmvc or spring-webflux dependencies

Despite this, Microsoft says that “any system running JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable.”

Administrators can check their servers to determine if they are vulnerable to Spring4Shell attacks using this non-malicious command (an HTTP 400 response is proof that the system is vulnerable to at least one publicly available proof of concept (PoC) exploit):

curl host:port/path?class.module.classLoader.URLs%5B0%5D=0

Continued Exploitation Warnings

Microsoft’s discovery of ongoing attacks using Spring4Shell exploits against its cloud infrastructure comes after the US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its catalog of known exploits.

A Check Point report published Tuesday estimates that CVE-2022-22965 exploit attempts already target about 16% of all organizations vulnerable to Spring4Shell.

Based on internal telemetry statistics, Check Point researchers discovered about 37,000 Spring4Shell exploit attempts this past weekend alone.

On Monday, VMware also released security updates to address the Spring4Shell flaw affecting several of its cloud computing and virtualization products.

This post Microsoft detects Spring4Shell attacks in its cloud services

was original published at “”