Is CVE-2022-22963 actively exploited?

CVE-2022-22963 has no public evidence of in-the-wild exploitation as of 2025-10-30.

What is the CVSS score for CVE-2022-22963?

CVE-2022-22963 has a CVSS score of 9.8 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2022-22963?

Patch guidance is available from vmware security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2022-22963.

Fix CVE-2022-22963 - CRITICAL vmware spring cloud function

Q: Which products are affected by CVE-2022-22963?

47 products: vmware spring cloud function, vmware spring cloud function, oracle banking branch, oracle banking cash management, oracle banking corporate lending process management, and 42 more.

Description

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-94 · Code Injection CWE-917

Metadata

Primary Vendor: VMWARE
Published: 4/1/2022
Last Modified: 10/30/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

vmware : spring_cloud_functionvmware : spring_cloud_functionoracle : banking_branchoracle : banking_cash_managementoracle : banking_corporate_lending_process_managementoracle : banking_credit_facilities_process_managementoracle : banking_electronic_data_exchange_for_corporatesoracle : banking_liquidity_managementoracle : banking_liquidity_managementoracle : banking_originationoracle : banking_supply_chain_financeoracle : banking_trade_finance_process_managementoracle : banking_virtual_account_managementoracle : communications_cloud_native_core_automated_test_suiteoracle : communications_cloud_native_core_automated_test_suiteoracle : communications_cloud_native_core_consoleoracle : communications_cloud_native_core_consoleoracle : communications_cloud_native_core_network_exposure_functionoracle : communications_cloud_native_core_network_function_cloud_native_environmentoracle : communications_cloud_native_core_network_function_cloud_native_environmentoracle : communications_cloud_native_core_network_function_cloud_native_environmentoracle : communications_cloud_native_core_network_repository_functionoracle : communications_cloud_native_core_network_repository_functionoracle : communications_cloud_native_core_network_slice_selection_functionoracle : communications_cloud_native_core_network_slice_selection_functionoracle : communications_cloud_native_core_policyoracle : communications_cloud_native_core_policyoracle : communications_cloud_native_core_policyoracle : communications_cloud_native_core_security_edge_protection_proxyoracle : communications_cloud_native_core_security_edge_protection_proxyoracle : communications_cloud_native_core_unified_data_repositoryoracle : communications_cloud_native_core_unified_data_repositoryoracle : communications_communications_policy_managementoracle : financial_services_analytical_applications_infrastructureoracle : financial_services_analytical_applications_infrastructureoracle : financial_services_behavior_detection_platformoracle : financial_services_behavior_detection_platformoracle : financial_services_behavior_detection_platformoracle : financial_services_enterprise_case_managementoracle : financial_services_enterprise_case_managementoracle : financial_services_enterprise_case_managementoracle : mysql_enterprise_monitororacle : product_lifecycle_analyticsoracle : retail_xstore_point_of_serviceoracle : retail_xstore_point_of_serviceoracle : sd-wan_edgeoracle : sd-wan_edge

Remediation Guidance

Executive Summary

View on NIST NVD