CVE-2022-23463 is a vulnerability identified in Nepxion Discover version 6.16.2, a solution designed for Spring Cloud environments. The vulnerability arises from improper neutralization of special elements used in an Expression Language (SpEL) statement, classified under CWE-917. Specifically, the issue resides in the DiscoveryExpressionResolver component's eval method, which evaluates expressions using a StandardEvaluationContext. This context allows the evaluated expression to access and interact with Java classes, including sensitive ones such as java.lang.Runtime. Consequently, an attacker can craft malicious SpEL expressions that lead to remote code execution (RCE) on the affected system. The vulnerability is critical because it enables execution of arbitrary code remotely without requiring authentication or user interaction. At the time of publication, no patches or workarounds are available, increasing the risk for organizations using this specific version of Nepxion Discover. Although no known exploits have been observed in the wild yet, the technical nature of the flaw and the lack of mitigation measures make it a significant threat vector, especially in environments where Nepxion Discover is deployed as part of microservices or cloud-native infrastructure.

For European organizations, the impact of this vulnerability can be severe. Nepxion Discover is used in Spring Cloud-based microservice architectures, which are common in enterprise environments for service discovery and configuration management. Exploitation of this vulnerability could lead to full system compromise, allowing attackers to execute arbitrary commands, deploy malware, or move laterally within the network. This threatens confidentiality, integrity, and availability of critical business applications and data. Organizations in sectors such as finance, manufacturing, telecommunications, and government, which heavily rely on cloud-native applications and microservices, could face operational disruptions, data breaches, and regulatory non-compliance. The absence of patches or workarounds means that affected systems remain exposed until either an update is released or alternative mitigations are implemented. Additionally, the vulnerability could be leveraged in targeted attacks or supply chain compromises, amplifying its potential impact across interconnected systems.

Given the absence of an official patch or workaround, European organizations should implement the following specific measures: 1) Conduct an immediate inventory to identify all instances of Nepxion Discover version 6.16.2 in their environment. 2) Isolate or restrict network access to affected services, especially limiting exposure to untrusted networks or the internet. 3) Employ strict input validation and sanitization at the application layer to prevent untrusted user input from reaching the vulnerable eval method. 4) Utilize runtime application self-protection (RASP) or Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SpEL expressions or anomalous requests targeting the discovery-commons component. 5) Monitor logs and network traffic for unusual activity indicative of exploitation attempts, such as unexpected command execution or access to java.lang.Runtime. 6) Engage with Nepxion or community forums for updates on patches or mitigations and plan for timely upgrades once available. 7) Consider deploying compensating controls such as containerization or sandboxing of services running Nepxion Discover to limit the blast radius of potential exploitation.