Moxa Moxa’s Response Regarding the Spring Shell Vulnerability (CVE-2022-22965)

Act Nowmoxas-response-regarding-the-spring-shell-vulnerability-cve-2022-22965Apr 19, 2022

Summary

Spring Shell vulnerability (CVE-2022-22965) affects Spring MVC and Spring WebFlux applications running on JDK 9+. Exploitation requires the application to run on Tomcat as a WAR deployment; Spring Boot executable jar deployments (the default) are not vulnerable to the known exploit. The vulnerability is being investigated for potential impact on Moxa products. At the time of this advisory, Moxa reports that none of its products are confirmed affected. Moxa PSIRT is monitoring for updates.

What this means

What could happen

If a Moxa product were confirmed vulnerable and deployed as a WAR on Tomcat, an attacker could execute arbitrary code on the affected system, potentially taking control of network gateways or edge devices that manage industrial plant communications and data.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Moxa industrial gateways, edge computing devices, or management appliances should care about this advisory. Moxa products commonly used for gateway management, protocol conversion, and network communication in ICS/SCADA environments are the concern. However, Moxa states that none of its products are currently confirmed affected.

How it could be exploited

An attacker would craft a malicious HTTP request exploiting the Spring parameter binding mechanism to write a shell script or JSP file to the Tomcat web directory. The attacker would then execute the uploaded file by accessing it via HTTP, gaining remote code execution on the device.

Prerequisites

Network access to the HTTP/HTTPS port of the affected Moxa product
Moxa product must be running Spring MVC or Spring WebFlux application
Application must be deployed as a WAR on Tomcat (not the default Spring Boot jar)
Target system must run JDK 9 or later

Actively exploited (KEV)Extremely high EPSS score (94.4%)Remotely exploitableNo authentication requiredLow complexity exploit

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

Moxa’s Response Regarding the Spring Shell Vulnerability (CVE-2022-22965)All versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGContact Moxa technical support to verify whether any of your deployed Moxa products use Spring MVC or Spring WebFlux with WAR deployments on Tomcat.

WORKAROUNDIf a Moxa product is confirmed to use the vulnerable Spring framework deployment pattern, isolate or air-gap the affected device until Moxa releases a patched version.

HARDENINGImplement network access controls (firewall rules) to restrict HTTP/HTTPS access to Moxa management interfaces to authorized engineering and administrative networks only.

Long-term hardening

0/1

HARDENINGMonitor Moxa security advisories and subscribe to Moxa PSIRT notifications for any updates regarding this vulnerability.

CVEs (1)

CVE-2022-22965

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/25d0bb64-3de6-4baa-948b-c83f09e52828