
Spring4Shell: Class-Loader RCE to Webshell (CVE-2022-22965)
An internet-facing Java Spring MVC application is compromised through CVE-2022-22965 (Spring4Shell), a class-loader manipulation flaw that turns Tomcat's own logging system into a webshell writer. Working from the Tomcat access logs and the perimeter firewall, trace the exploit request, identify what landed on disk, follow the operator's command sessions, and catch the pivot to an internal backend service.
Launches in 5 days
Tuesday, July 7, 2026 at 9:00 AM
Be ready the moment it drops — free forever.
Training Tools
What you'll investigate
6 objectives unlock when this operation goes live.
Be first when it launches
Create your free account now. The moment this operation goes live on Jul 7, 2026, you can jump straight in — and you'll have the rest of the catalog to train on meanwhile.
Get Started FreeNo credit card required — free forever