Updated: March 6, 2023

Overview

There is a remote code execution flaw in the ZK Open Source JAVA framework for creating web applications.

Background

The ZK Framework is used by Connectwise R1Soft Server Backup Manager software in their products R1Soft and Recovery products. The vulnerability in ZK Framework is being exploited to execute code remotes and allow for installation of malicious drivers, specifically in its AU uploader component.

zk framework thumb1

Java Based ZK Framework Vulnerability Explanation

A.N. Ananth, Chief Strategy Officer for Netsurion, explains the history of the recent ZK Framework vulnerability – who could be affected and remediation steps to be aware of to prevent further breaches.

Watch the Video

Impact

The attacker can use the vulnerability in the java based ZK Framework through bypassing the authentication process to execute code and run commands remotely. Due to the vulnerability, the attacker can install malicious database drivers (JDBC) that contain remote shell or backdoors to gather information. Then they use REST API that’s built into R1 Soft SBM to instruct connected agents to push ransomware downstream.

Applicable Versions

This vulnerability has a risk rating as High and a 7.5 out of 10.0 severity on the CVSS 3.0 severity scale in the National Vulnerability Database (NVD).

It is very likely an attacker could exploit this vulnerability by sending a specially crafted HTTP request and bypassing authentication to upload malicious driver files or remote shell commands.

  • All platforms and applications using ZK Framework
  • ZK Framework from 9.6.1 and below
  • ConnectwiseRecover v2.9.7 and earlier versions are vulnerable
  • Connectwise R1Soft Server Backup Manager (SBM) v6.16.3 and earlier versions are vulnerable

Mitigations / Workarounds

  • Upgrade the ZK Framework to these corresponding fixed versions or higher
    • ZK Framework version 9.6.2
    • ZK Framework version 9.6.0.2
    • ZK Framework version 9.5.1.4
    • ZK Framework version 9.0.1.3
    • ZK Framework version 8.6.4.2
  • Upgrade ConnectWiseRecover to version 2.9.9 and above
  • Upgrade ConnectWise R1Soft to version 6.16.4 and above

Best Practices

The exploitation of this vulnerability is very likely as public PoCs are available. Best practices to mitigate this vulnerability include:

  • To stay protected against CVE-2022-36537 exploits and ZK framework vulnerabilities, it is important that any users of ZK framework versions 9.6.1 or below upgrade their systems and impacted applications including ConnectWiseRecover and ConnectWise R1Soft.

Netsurion Detection and Response

At this time, our Netsurion Managed Open XDR security experts have determined that since none of the modules use the ZK framework, it is not impacted and neither are our customers and partners.

Indicators of Compromise (IoCs)

Unfortunately, there are not indicators of compromise, but Netsurion highly recommends that if you are running ConnectWiseRecover v2.9.7 and earlier or ConnectWise R1Soft Servicer Backup Manager version 6.16.3 and earlier versions should update these current systems and continually monitor them.

Detection by Netsurion Vulnerability Management Service

Our team is working on adding signature for CVE-2022-36537 in Netsurion Vulnerability Management System.

Contact your Netsurion Account Manager with any questions.

References:

Cybersecurity Updates
Latest Advisory Alerts

Palo Alto PAN-OS Command Injection Vulnerability

D-Link NAS Command Injection Vulnerability

VMware ESXi, Workstation, and Fusion Vulnerabilities

Latest Data Source Integrations

AWS Key Management Service (KMS)

Have I Been Pwned

SentinelOne

Latest Enhancements

Netsurion Open XDR Now Supports PCI DSS 4.0

Extended Data Source Integrations and Alerts Released for Essentials

Enriched Application Control in Open XDR 9.4