CVE-2022-36537 is a highly severe vulnerability in the ZK Framework, that CISA (Cybersecurity and Infrastructure Security Agency) just added to its exploit catalogue. Apparently, the vulnerability has been leveraged in the wild in attacks which can lead to retrieving sensitive information via specially crafted requests.
Affected versions are the following: ZK Framework 9.6.1, 220.127.116.11, 18.104.22.168, 22.214.171.124, and 126.96.36.199. According to the Security Agency, “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.” As a result of this exploitation, CISA added CVE-2022-36537 to its Known Exploited Vulnerabilities Catalogue.
What Is ZK Framework?
ZK is an open-source, Java-based framework for developing Ajax Web applications that allow users to create graphical user interfaces without extensive programming knowledge. Its core is an event-driven Ajax mechanism, backed by 123 XUL and 83 XHTML components, and a mark-up language for designing user interfaces.
ZK employs a server-centric methodology that allows the engine to manage content synchronization of components and the event pipe-lining between clients and servers, while also making Ajax plumbing codes transparent to web application developers.
CISA stated that the ZK Framework is an open source Java framework, and that this vulnerability can affect multiple products, including ConnectWise R1Soft Server Backup Manager, though not limited to it.
CVE-2022-36537: Impact and Overview of Attacks
In May 2022, the vulnerability was patched in versions 9.6.2, 188.8.131.52, 184.108.40.206, 220.127.116.11, and 18.104.22.168. However, in October 2022 Huntress was able to weaponize the vulnerability with a proof-of-concept (PoC) to bypass authentication, upload a backdoored JDBC database driver, and deploy ransomware on susceptible endpoints.
Singapore-based Numen Cyber Labs then published their own PoC in December 2022, and found more than 4,000 Server Backup Manager instances exposed on the internet. Subsequently, the vulnerability came under mass exploitation as reported by NCC Group’s Fox-IT research team last week, leading to 286 servers with a web shell backdoor.
The US, South Korea, the UK, Canada, Spain, Colombia, Malaysia, Italy, India, and Panama are the countries most affected. As of February 20, 2023, 146 R1Soft servers remain backdoored. Fox-IT has also reported that the adversary was able to exfiltrate VPN configuration files, IT administration information, and other sensitive documents during the compromise.