The US Cybersecurity & Infrastructure Security Agency (CISA) has added CVE-2022-36537 to its “catalogue of known exploited vulnerabilities” after threat actors began actively exploiting the remote code execution flaw. (RCE) in attacks.

CVE-2022-36537 is a high severity flaw (CVSS v3.1:7.5) affecting ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1, allowing attackers to access sensitive information by sending a specially crafted POST Request to the AuUploader component.

ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the contents of a file located in the web context. Description of the flaw by CISA.

The flaw was discovered last year by Markus Wulftange and patched by ZK on May 05, 2022, with version 9.6.2.

ZK is an open-source Ajax web application framework written in Java, allowing web developers to create graphical user interfaces for web applications with minimal effort and programming knowledge.

The ZK framework is widely used in projects of all types and sizes, so the impact of the flaw is widespread and far-reaching.

Notable examples of products using the ZK framework include ConnectWise Recover, version 2.9.7 and earlier, and ConnectWise R1SoftServer Backup Manager, version 6.16.3 and earlier.

CISA has set the deadline for applying available security updates to March 20, 2023, giving federal agencies approximately three weeks to respond to the security risk and take appropriate action to secure their networks.

Actively operated

The addition of this vulnerability to CISA’s catalog of known exploited vulnerabilities comes after the Fox-IT team at NCC Group published a report describing how the flaw was actively exploited in the attacks.

According to Fox-IT, during a recent incident response, an adversary was discovered exploiting CVE-2022-36537 to gain initial access to the ConnectWise R1Soft Server Backup Manager software.

The attackers then moved to control the downstream systems connected through the R1Soft Backup Agent and deployed a malicious database driver with backdoor functionality, allowing them to execute commands on all systems connected to this R1Soft server.

Based on this incident, Fox-IT investigated further and discovered that global exploit attempts against R1Soft server software have been ongoing since November 2022, detecting at least 286 servers running this backdoor as of January 9, 2023.

However, exploiting the vulnerability is not unexpected, as several proofs of concept (PoC) Exploits have been published on GitHub in December 2022.

Therefore, tools to perform attacks against unpatched deployments of R1Soft Server Backup Manager are widely available, making it imperative that administrators update to the latest version.