# [CRIT] Spring4Shell: What we know about the Java RCE vulnerability **Source:** Snyk **Published:** 2022-03-31 **Article:** https://snyk.io/blog/is-there-such-a-thing-as-spring4shell/ ## Threat Profile Snyk Blog In this article Written by Micah Silverman March 31, 2022 0 mins read Already know about Spring4Shell? Jump straight to the Spring4Shell remediation section of this blog or read our Spring4Shell deep-dive to find out how the zero-day remote code execution (RCE) works. Very early in the morning on March 30th (for me), my colleague DeveloperSteve posted a “Hey, have you seen this?” message in our slack channel. It was an “advance warning” of a “probable” remote code execution (RCE) in t… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2022-22965` - **CVE:** `CVE-2022-22963` - **IPv4 (defanged):** `107.174.133.167` - **IPv4 (defanged):** `194.31.98.186` - **IPv4 (defanged):** `178.79.148.229` - **IPv4 (defanged):** `82.165.137.177` - **IPv4 (defanged):** `172.104.159.48` - **IPv4 (defanged):** `109.74.204.123` - **IPv4 (defanged):** `5.253.204.37` - **Domain (defanged):** `test6.ggdd.co.uk` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1071** — Application Layer Protocol ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2022-22965`, `CVE-2022-22963` - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `107.174.133.167`, `194.31.98.186`, `178.79.148.229`, `82.165.137.177`, `172.104.159.48`, `109.74.204.123`, `5.253.204.37`, `test6.ggdd.co.uk` ## Why this matters Severity classified as **CRIT** based on: CVE present, IOCs present, 2 use case(s) fired, 2 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.