The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability in the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation.
Tracked as CVE-2022-36537, the vulnerability affects several versions of the open-source Java framework, ZK Framework. It enables hackers to obtain sensitive information through specially crafted requests. The vulnerability affects multiple products, including ConnectWise R1Soft Server Backup Manager. The issue was resolved in May 2022, and patches were released for affected versions.
Proof-of-concept (PoC) demonstrated the vulnerability’s misuse by bypassing authentication, uploading a backdoored JDBC database driver for code execution, and deploying ransomware on susceptible endpoints.
Numen Cyber Labs released a PoC, cautioning that over 4,000 Server Backup Manager instances were vulnerable and accessible on the internet. Of these, 146 R1Soft servers were still backdoored as of February 20, 2023.
The majority of the compromised servers are in the US, South Korea, the UK, Canada, Spain, Colombia, Malaysia, Italy, India, and Panama. The attack enabled hackers to steal VPN configuration files, sensitive documents, and IT administration information.
CISA recommends updating ZK Framework products to the latest version to mitigate the risk. The agency also recommends using up-to-date antivirus software, firewalls, and intrusion detection/prevention systems.