The
U.S.
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
has
added
a
high-severity
flaw
affecting
the
ZK
Framework
to
its
Known
Exploited
Vulnerabilities
(KEV)
catalog
based
on
evidence
of
active
exploitation.
Tracked
as
CVE-2022-36537
(CVSS
score:
7.5),
the
issue
impacts
ZK
Framework
versions
9.6.1,
9.6.0.1,
9.5.1.3,
9.0.1.2,
and
8.6.4.1,
and
allows
threat
actors
to
retrieve
sensitive
information
via
specially
crafted
requests.
“The
ZK
Framework
is
an
open
source
Java
framework,”
CISA
said. “This
vulnerability
can
impact
multiple
products,
including
but
not
limited
to
ConnectWise
R1Soft
Server
Backup
Manager.”
The
vulnerability
was
patched
in
May
2022
in
versions
9.6.2,
9.6.0.2,
9.5.1.4,
9.0.1.3,
and
8.6.4.2.
As
demonstrated
by
Huntress
in
a
proof-of-concept
(PoC)
in
October
2022,
the
vulnerability
can
be
weaponized
to
bypass
authentication,
upload
a
backdoored
JDBC
database
driver
to
gain
code
execution,
and
deploy
ransomware
on
susceptible
endpoints.
Singapore-based
Numen
Cyber
Labs,
in
addition
to
publishing
a
PoC
of
its
own
in
December
2022,
cautioned
that
it
found
more
than
4,000
Server
Backup
Manager
instances
exposed
on
the
internet.
The
vulnerability
has
since
come
under
mass
exploitation,
as
evidenced
by
NCC
Group’s
Fox-IT
research
team
last
week,
to
obtain
initial
access
and
deploy
a
web
shell
backdoor
on
286
servers.
A
majority
of
the
infections
are
located
in
the
U.S.,
South
Korea,
the
U.K.,
Canada,
Spain,
Colombia,
Malaysia,
Italy,
India,
and
Panama.
A
total
of
146
R1Soft
servers
remain
backdoored
as
of
February
20,
2023.
“Over
the
course
of
the
compromise,
the
adversary
was
able
to
exfiltrate
VPN
configuration
files,
IT
administration
information
and
other
sensitive
documents,”
Fox-IT
said.
