CVE-2025-22235 – VMware Tanzu Spring Boot Vulnerability

Severity

High

Analysis Summary

CVE-2025-22235

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected if it uses Spring Security with EndpointRequest.to() in the security chain, and the referenced endpoint is disabled or not exposed via web. This can lead to unexpected behavior if your application handles /null paths that require protection.

Impact

Security Bypass

Indicators of Compromise

CVE

CVE-2025-22235

Affected Vendors

VMware

Affected Products

VMware Tanzu Spring Boot - 2.7.0
VMware Tanzu Spring Boot - 3.1.0
VMware Tanzu Spring Boot - 3.2.0
VMware Tanzu Spring Boot - 3.3.0
VMware Tanzu Spring Boot - 3.4.0

Remediation

Upgrade to the latest version of Spring Boot, available from the VMware Security Advisory.

VMware Security Advisory

LokiBot Malware – Active IOCs

Multiple Juniper Networks Vulnerabilities

CVE-2025-22235 – VMware Tanzu Spring Boot Vulnerability

Severity

High

Analysis Summary

Indicators of Compromise

CVE

Affected Vendors

Affected Products

Remediation

Security Operations Centers across the region

Saudi Arabia

UAE

Oman

Pakistan