CISA warns about active use of RCE-vulnerability ZK Java Framework

Cybersecurity Agency and US infrastructure protection (CISA) added vulnerabilities CVE-2022-36537 to its catalog of well-known exploited guides After the hackers began to actively use this drawback for remote code (RCE) in attacks.

CVE-2022-36537 (CVSS V3.1: 7.5) affects ZK Framework servings Auuploader versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, 8.6.4.1 and allows attackers to gain access to confidential information by sending a specially formed post request to the Auuploader component.

The defect was discovered last year by Marcus Wulfange and eliminated by ZK on May 5, 2022 at version 9.6.2 .

ZK is an open source AJAX Framivork, written on Java, which allows web developers to create graphic user interfaces for web applications with minimal efforts and programming knowledge. The ZK framework is widely used in projects of all types and sizes, so the influence of the defect is widely and far -reaching. Among the products using the ZK framework, you can note the Connectwise Recover and Connectwise R1SoftSERVER BACKUP Manager.

The addition of this vulnerability to the catalog of the well-known operated vulnerabilities of CISA occurred after the NCC Group Fox-IT team published report , which describes how this drawback is actively used in attacks.

According to Fox-IT, the vulnerability allowed CyberPreman to get the initial access to the Connectwise R1Soft Server Backup Manager. Then the attacker took control of the subsequent systems connected via R1Soft Backup Agent and deployed a malicious database driver with a backdor function, which allowed him to execute commands on all systems connected to this R1Soft server.

Fox-IT found that attempts to operate vulnerabilities against the server R1Soft are being taken around the world since November 2022, and as of January 9, 2023, at least 286 servers with a backdor were discovered. However, the exploitation of vulnerability was expected, since in December 2022 numerous POC explosions were published on Github.

Thus, the tools for conducting attacks on the rain -bearing installations of the R1Soft Server Backup Manager are widely available, so administrators need to update them to the last version.

/Media reports cited above.