Updated: March 6, 2023
There is a remote code execution flaw in the ZK Open Source JAVA framework for creating web applications.
The ZK Framework is used by Connectwise R1Soft Server Backup Manager software in their products R1Soft and Recovery products. The vulnerability in ZK Framework is being exploited to execute code remotes and allow for installation of malicious drivers, specifically in its AU uploader component.
Java Based ZK Framework Vulnerability Explanation
A.N. Ananth, Chief Strategy Officer for Netsurion, explains the history of the recent ZK Framework vulnerability – who could be affected and remediation steps to be aware of to prevent further breaches.
The attacker can use the vulnerability in the java based ZK Framework through bypassing the authentication process to execute code and run commands remotely. Due to the vulnerability, the attacker can install malicious database drivers (JDBC) that contain remote shell or backdoors to gather information. Then they use REST API that’s built into R1 Soft SBM to instruct connected agents to push ransomware downstream.
This vulnerability has a risk rating as High and a 7.5 out of 10.0 severity on the CVSS 3.0 severity scale in the National Vulnerability Database (NVD).
It is very likely an attacker could exploit this vulnerability by sending a specially crafted HTTP request and bypassing authentication to upload malicious driver files or remote shell commands.
- All platforms and applications using ZK Framework
- ZK Framework from 9.6.1 and below
- ConnectwiseRecover v2.9.7 and earlier versions are vulnerable
- Connectwise R1Soft Server Backup Manager (SBM) v6.16.3 and earlier versions are vulnerable
Mitigations / Workarounds
- Upgrade the ZK Framework to these corresponding fixed versions or higher
- ZK Framework version 9.6.2
- ZK Framework version 22.214.171.124
- ZK Framework version 126.96.36.199
- ZK Framework version 188.8.131.52
- ZK Framework version 184.108.40.206
- Upgrade ConnectWiseRecover to version 2.9.9 and above
- Upgrade ConnectWise R1Soft to version 6.16.4 and above
The exploitation of this vulnerability is very likely as public PoCs are available. Best practices to mitigate this vulnerability include:
- To stay protected against CVE-2022-36537 exploits and ZK framework vulnerabilities, it is important that any users of ZK framework versions 9.6.1 or below upgrade their systems and impacted applications including ConnectWiseRecover and ConnectWise R1Soft.
Netsurion Detection and Response
At this time, our Netsurion Managed Open XDR security experts have determined that since none of the modules use the ZK framework, it is not impacted and neither are our customers and partners.
Indicators of Compromise (IoCs)
Unfortunately, there are not indicators of compromise, but Netsurion highly recommends that if you are running ConnectWiseRecover v2.9.7 and earlier or ConnectWise R1Soft Servicer Backup Manager version 6.16.3 and earlier versions should update these current systems and continually monitor them.
Detection by Netsurion Vulnerability Management Service
Our team is working on adding signature for CVE-2022-36537 in Netsurion Vulnerability Management System.
Contact your Netsurion Account Manager with any questions.