Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical Environment Modification Vulnerability in Spring Cloud Gateway, Patch Immediately!
Image
Published : 17/09/2025
- Last update: 17/09/2025
- Affected software: Spring Cloud Gateway
→ >=3.1.0 <=3.1.9
→ >=4.0.0 <=4.0.9
→ >=4.1.0 <=4.1.9
→ >=4.2.0 <4.2.5
→ >=4.3.0 <4.3.1- Type:
→ CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
→ CWE-94 Improper Control of Generation of Code ('Code Injection')- CVE/CVSS
→ CVE-2025-41243 CVSS 10 (CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
NVD NIST - https://nvd.nist.gov/vuln/detail/CVE-2025-41243
Risks
Spring recently disclosed a critical vulnerability in their Spring Cloud Gateway. This is used as a library by their JAVA framework to handle client requests towards applications and providing services such as authentication, routing and load balancing.
Vulnerable versions of this library have incorrectly configured access control on the Spring Boot Actuator which provides management and monitoring services. This enables unauthenticated remote attackers to compromise the application’s runtime environment through this API endpoint and gain access to sensitive information or perform privilege escalation.
This attack has a high impact on the confidentiality, integrity and availability of concerned data.
Description
CVE-2025-41243 CVSS 10
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CWE-94 Improper Control of Generation of Code ('Code Injection')
For the exploitation to occur the following conditions must be met:
- An application uses Spring Cloud Gateway Webflux.
- An application uses Spring Boot actuators as a dependency.
- The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway.
- The actuator endpoints are unsecured.
Through misuse of this gateway’s API endpoint, an attacker can manipulate aspects of the application’s runtime environment through “Code injection”. Changing environment variables can trigger unexpected behavior by the application.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
4.4 References
Tenable - https://www.tenable.com/cve/CVE-2025-41243
Herodevs - https://www.herodevs.com/vulnerability-directory/cve-2025-41243?nes-for-spring