Datto’s Response to Spring4Shell

On Wednesday, March 30, 2022 news of active exploitation of a previously unknown zero day Remote Code Execution vulnerability (CVE-2022-22965) in a component of java-based software, referred to as Spring4Shell, became widely known. The extent to which this software package is integrated into the world’s technologies and platforms is still being discovered, making response a fluid activity for any security program.

At this time, Datto has not assessed any material exposure to the Spring4Shell vulnerability that would impact the safe use of Datto products. Should this assessment change, we will update Datto partners immediately.

We have completed an initial comprehensive assessment and response. The focus of those activities centered around the following:

• Assessing usage within Datto products
• Inspecting infrastructure systems in our asset inventories
• Researching vulnerable third-party technologies
• Inventorying Datto’s third-party vendors to engage them and understand their response

While we consider our initial response complete, we remain in a state of active monitoring and readiness to respond. This situation is evolving and additional affected technologies could become known over the coming days and weeks ahead. All technology professionals will need to monitor for the latest developments and continually reassess their exposures.

Datto remains vigilant and will support our partners and the MSP community as the situation evolves.