egalinkin-r7 (4)

CVE-2022-22947 is a remote code execution vulnerability in Spring Cloud Gateway that is currently being exploited in the wild. The vulnerable condition stems from Spring Expression Language (SpEL) expressions being passed to the StandardEvaluationContext context. This means that any valid SpEL expression passed to the context is executed.

Wyatt Dahlenberg provided a proof of concept exploit on his blog, which works on crafted vulnerable applications. In order to expose the interface, you need to modify the applications.properties file for an application using the Spring Cloud Gateway, suggesting that exposure of the vulnerable API is both non-standard and relatively uncommon.

Telemetry from Rapid7’s Project Heisenberg reveals a small number of exploit attempts (and scanners looking for vulnerable applications) over the last two months. This suggests that the scale of exploitation is low at this time.