CISA warns of hackers exploiting ZK Java Framework RCE flaw

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added CVE-2022-36537 to its "Known Exploited Vulnerabilities Catalog" after threat actors began actively exploiting the remote code execution (RCE) flaw in attacks.

CVE-2022-36537 is a high-severity (CVSS v3.1: 7.5) flaw impacting the ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1, enabling attackers to access sensitive information by sending a specially crafted POST request to the AuUploader component.

"ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context," mentions CISA's description of the flaw.

The flaw was discovered last year by Markus Wulftange and addressed by ZK on May 05, 2022, with version 9.6.2.

ZK is an open-source Ajax Web app framework written in Java, enabling web developers to create graphical user interfaces for web applications with minimal effort and programming knowledge.

The ZK framework is widely employed in projects of all types and sizes, so the flaw's impact is widespread and far-reaching.

Notable examples of products using the ZK framework include ConnectWise Recover, version 2.9.7 and earlier, and ConnectWise R1SoftServer Backup Manager, version 6.16.3 and earlier.

CISA set the deadline to apply the available security updates to March 20, 2023, giving federal agencies roughly three weeks to respond to the security risk and take proper action to secure their networks.

Actively exploited

The addition of this vulnerability to CISA's Known Exploited Vulnerabilities Catalog comes after NCC Group's Fox-IT team published a report describing how the flaw was being actively exploited in attacks.

According to Fox-IT, during a recent incident response, it was discovered that an adversary exploited CVE-2022-36537 to gain initial access to ConnectWise R1Soft Server Backup Manager software.

The attackers then moved to control downstream systems connected via the R1Soft Backup Agent and deployed a malicious database driver with backdoor functionality, enabling them to execute commands on all systems connected to that R1Soft server.

Based on that incident, Fox-IT investigated further and found that worldwide exploitation attempts against R1Soft server software have been underway since November 2022, detecting at least 286 servers running this backdoor as of January 9, 2023.

However, the exploitation of the vulnerability is not unexpected, as multiple proof-of-concept (PoC) exploits were published on GitHub in December 2022.

Therefore, tools to perform attacks against unpatched R1Soft Server Backup Manager deployments are widely available, making it imperative that administrators update to the latest version.

Update 3/2/23 - ConnectWise's CISO, Patrick Beggs has sent BleepingComputer the following comment in regards to the above:

In October 2022, we identified and issued a fix to a newly identified flaw in a component of our underlying framework in ConnectWise Recover and R1Soft, following a responsible disclosure from a third party. We informed our partners of the fix and encouraged those with on-premise instances of the impacted product to install the patch as soon as possible.

There was no action required for most partners with ConnectWise Recover; both the cloud and client instances of Server Backup Manager (SBM) were updated as we pushed this patch directly. R1Soft is self-managed; we encouraged these partners to apply the patch quickly

 As these threat actors are targeting unpatched servers for exploitation, we continue to encourage our partners to follow industry best practices and patch immediately.