CISA issues a warning about hackers using the ZK Java Framework RCE vulnerabilities

Once threat actors started aggressively using the remote code execution (RCE) issue in attacks, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2022-36537 to its “Known Exploited Vulnerabilities Catalog”.

The ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1 are all affected by the high-severity (CVSS v3.1: 7.5) CVE-2022-36537 issue, which allows attackers to access sensitive data by sending a carefully crafted POST request to the AuUploader component. The bug is described by CISA as having “unspecified vulnerability that could allow an attacker to retrieve the content of a file contained in the web context” in the servlets of the ZK Framework called AuUploader. Markus Wulftange found the vulnerability last year, and ZK fixed it on May 5, 2022, with version 9.6.2.

Web designers may easily and quickly construct graphical user interfaces for web apps with the help of the open-source Java Ajax Web app framework ZK. The problem has a wide-ranging impact because the ZK framework is widely used in projects of various shapes and sizes. ConnectWise Recover, version 2.9.7 and earlier, and ConnectWise R1SoftServer Backup Manager, version 6.16.3 and earlier, are notable instances of products using the ZK framework.

This vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog after the Fox-IT team of NCC Group released a paper outlining how the bug was being actively used in attacks. According to Fox-IT, it was found that an adversary used CVE-2022-36537 to acquire initial access to the ConnectWise R1Soft Server Backup Manager software during a recent incident response.

A malicious database driver with a backdoor was subsequently installed by the attackers, giving them access to any systems connected to that R1Soft server. The attackers then moved on to control downstream systems linked via the R1Soft Backup Agent. Fox-IT conducted further research into that incident and discovered that R1Soft server software has been the target of worldwide exploitation attempts since November 2022. As of January 9, 2023, at least 286 servers were determined to be carrying this backdoor. The fact that the vulnerability was exploited, however, is not shocking because several proof-of-concept (PoC) attacks were made public on GitHub in December 2022. The availability of tools to launch attacks against unpatched R1Soft Server Backup Manager deployments makes it essential for administrators to update to the most recent version.

Give us a call today!

Beringer Technology group can help your team navigate the ever-changing cybersecurity landscape. Reach out to Beringer Technology Group today. We can help evaluate your current cybersecurity posture with our Cyber Security Risk Assessment Solution, and implement the right security solutions for your organization.

Beringer Technology Group, a leading Microsoft Gold Certified Partner specializing in Microsoft Dynamics 365 and CRM for Distribution also provides expert Managed IT Services, Backup and Disaster Recovery, Cloud Based Computing, Email Security Implementation and Training, Unified Communication Solutions, and Cybersecurity Risk Assessment.