A dangerous flaw allows a hacker to steal sensitive data and take control of systems on a server.
The US Cybersecurity and Infrastructure Protection Agency (CISA) added the CVE-2022-36537 vulnerability to its Catalog of Known Exploited Vulnerabilities after hackers began to actively use this flaw for remote code execution (RCE) in attacks.
CVE-2022-36537 (CVSS v3.1:7.5) affects ZK Framework AuUploader servlets versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, 8.6.4.1 and allows attackers to gain access to sensitive information by sending a specially crafted POST request to the AuUploader component.
The defect was discovered last year by Markus Wulftanj and fixed by ZK on May 5, 2022 in version 9.6.2.
ZK is an open source Ajax web application framework written in Java that allows web developers to create graphical user interfaces for web applications with minimal effort and programming knowledge. The ZK framework is widely used in projects of all types and sizes, so the impact of a defect is wide and far reaching. Among the products that use the ZK framework are ConnectWise Recover and ConnectWise R1SoftServer Backup Manager.
The addition of this vulnerability to the CISA catalog of known exploited vulnerabilities comes after NCC Group's Fox-IT team published a report that describes how this flaw is actively exploited in attacks.
According to Fox-IT, the vulnerability allowed a cybercriminal to gain initial access to the ConnectWise R1Soft Server Backup Manager software. The attacker then took control of subsequent systems connected via R1Soft Backup Agent and deployed a malicious database driver with a backdoor function, allowing him to execute commands on all systems connected to this R1Soft server.
Fox-IT found that attempts to exploit a vulnerability against R1Soft server software have been made around the world since November 2022, and as of January 9, 2023, at least 286 servers with a backdoor have been discovered. However, the exploitation of the vulnerability was expected, as numerous PoC exploits were published on GitHub in December 2022.
Thus, tools to attack unpatched installations of R1Soft Server Backup Manager are widely available, so it is imperative for administrators to update them to the latest version.