CVE-2022-36537 is a highly severe vulnerability in the ZK Framework, that CISA (Cybersecurity and Infrastructure Security Agency) just added to its exploit catalogue. Apparently, the vulnerability has been leveraged in the wild in attacks which can lead to retrieving sensitive information via specially crafted requests.
CVE-2022-36537 Details
Affected versions are the following: ZK Framework 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1. According to the Security Agency, “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.” As a result of this exploitation, CISA added CVE-2022-36537 to its Known Exploited Vulnerabilities Catalogue.
What Is ZK Framework?
ZK is an open-source, Java-based framework for developing Ajax Web applications that allow users to create graphical user interfaces without extensive programming knowledge. Its core is an event-driven Ajax mechanism, backed by 123 XUL and 83 XHTML components, and a mark-up language for designing user interfaces.
ZK employs a server-centric methodology that allows the engine to manage content synchronization of components and the event pipe-lining between clients and servers, while also making Ajax plumbing codes transparent to web application developers.
CISA stated that the ZK Framework is an open source Java framework, and that this vulnerability can affect multiple products, including ConnectWise R1Soft Server Backup Manager, though not limited to it.
CVE-2022-36537: Impact and Overview of Attacks
In May 2022, the vulnerability was patched in versions 9.6.2, 9.6.0.2, 9.5.1.4, 9.0.1.3, and 8.6.4.2. However, in October 2022 Huntress was able to weaponize the vulnerability with a proof-of-concept (PoC) to bypass authentication, upload a backdoored JDBC database driver, and deploy ransomware on susceptible endpoints.
Singapore-based Numen Cyber Labs then published their own PoC in December 2022, and found more than 4,000 Server Backup Manager instances exposed on the internet. Subsequently, the vulnerability came under mass exploitation as reported by NCC Group’s Fox-IT research team last week, leading to 286 servers with a web shell backdoor.
The US, South Korea, the UK, Canada, Spain, Colombia, Malaysia, Italy, India, and Panama are the countries most affected. As of February 20, 2023, 146 R1Soft servers remain backdoored. Fox-IT has also reported that the adversary was able to exfiltrate VPN configuration files, IT administration information, and other sensitive documents during the compromise.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: