Spring Boot Actuator endpoints are widely deployed in cloud environments but commonly misconfigured, which can expose sensitive data (heap dumps, env vars) and enable attacks including remote code execution. Attack scenarios include abusing exposed /gateway/routes for SSRF or CVE-2022-22947 RCE and using /actuator/heapdump or /actuator/env to extract credentials. #SpringBootActuator #SpringCloudGateway
Keypoints
- Spring Boot Actuator appears in ~60% of cloud environments; ~11% of those are publicly exposed and 24% of exposed instances have detectable misconfigurations.
- Exposed /actuator/heapdump can leak in-memory secrets (API keys, tokens, passwords) and 2.3% of exposed instances had heapdump exposed without authentication.
- Exposed /actuator/gateway/routes can be abused for SSRF and, on vulnerable Spring Cloud Gateway versions (e.g., those affected by CVE-2022-22947), for remote code execution; 28% of environments using Spring Cloud Gateway had at least one vulnerable version.
- /actuator/env exposure (4% of exposed apps) reveals runtime configuration and environment variables that can include credentials and cloud keys.
- Attack paths from these misconfigurations include initial access, credential theft, lateral movement, and escalation — even if no widely documented real-world incidents are publicly attributed to these specific misconfigurations.
- Mitigations include enforcing authentication/authorization (Spring Security), disabling or excluding sensitive endpoints, IP-restricting actuator access, and keeping components up to date; Wiz Dynamic Scanner can detect these misconfigurations in customer environments.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – used to achieve remote code execution by exploiting CVE-2022-22947 on exposed gateway endpoints (‘remote code execution (CVE-2022-22947)’)
- [T1184] Server-Side Request Forgery (SSRF) – actuator gateway routes can be abused to forward requests to internal services and metadata endpoints (‘allows for Server-Side Request Forgery (SSRF) by design’)
- [T1552.001] Unsecured Credentials: Credentials in Files – heapdump and env endpoints can expose secrets stored in memory or configuration (‘exposure of sensitive data and credentials (e.g., API keys, tokens, and passwords)’)
- [T1078] Valid Accounts – exposed credentials retrieved from heapdumps or env data can be used as valid credentials for initial access (‘These credentials could provide elevated access … allowing attackers to gain initial access to critical systems’)
- [T1021] Remote Services – stolen credentials and exposed endpoints facilitate lateral movement and remote access to other services in the environment (‘…facilitating lateral movement and privilege escalation in the course of complex, multi-stage attacks’)
Indicators of Compromise
- [IP address] AWS metadata service (internal) – 169.254.169.254 (used in PoC to retrieve instance credentials)
- [Endpoints] Exposed Spring Boot Actuator endpoints – /actuator/heapdump, /actuator/env, /actuator/gateway/routes (targets for data theft, SSRF, and RCE)
- [CVE] Vulnerability ID referenced – CVE-2022-22947 (Spring Cloud Gateway RCE)
- [Domain/URL] Vendor/security writeup and tooling links – https://www.wiz.io/blog/spring-boot-actuator-misconfigurations (source), Shodan and GreyNoise queries referenced for scanning activity
Read more: https://www.wiz.io/blog/spring-boot-actuator-misconfigurations