The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a significant vulnerability affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog, citing ongoing indications of active exploitation. This flaw, identified as CVE-2022-36537, carries a CVSS score of 7.5 and impacts several versions of the framework, specifically 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, allowing attackers to retrieve sensitive information through specially crafted requests.
CISA noted that the ZK Framework is an open-source Java framework that has been integrated into various products, one of which is ConnectWise R1Soft Server Backup Manager. The agency’s emphasis on this vulnerability underscores its potential impact across different applications and sectors.
This vulnerability was addressed in May 2022 with patches released in versions 9.6.2, 9.6.0.2, 9.5.1.4, 9.0.1.3, and 8.6.4.2. Despite these updates, instances of exploitation remain prevalent. According to research from NCC Group’s Fox-IT team, the vulnerability has been leveraged to facilitate unauthorized access and implement web shell backdoors on numerous servers, affecting both public and private organizations across multiple countries.
Significantly, a report dated February 20, 2023, indicated that a multitude of R1Soft servers—including 286 across the United States, South Korea, the U.K., Canada, Spain, Colombia, Malaysia, Italy, India, and Panama—remained compromised. The adversaries involved reportedly succeeded in exfiltrating sensitive data, including VPN configuration files and IT administration details, during the attacks.
Notably, Huntress provided a proof-of-concept demonstration in October 2022 highlighting the exploitation techniques involved, including authentication bypass and backdoor deployment via a compromised JDBC database driver. This exemplifies tactics typically associated with initial access, persistence, and privilege escalation under the MITRE ATT&CK framework.
Furthermore, cybersecurity firm Numen Cyber Labs contributed to the discourse by revealing that more than 4,000 instances of Server Backup Manager were exposed online, adding to the criticality of this vulnerability. Their own proof-of-concept, published in December 2022, further reflected the landscape of exploitation surrounding this CVE.
The persistence of these exploits and the ongoing attempts by threat actors to leverage this vulnerability highlight the urgent need for organizations to ensure they are running the latest versions of their software and to closely monitor their systems for unusual activities. As the threat landscape evolves, both awareness and proactive measures remain the best defense against potential breaches.
As we move forward, it is crucial for business owners to remain vigilant and informed about such cybersecurity risks. Utilizing the MITRE ATT&CK framework can provide a structured approach to understanding the tactics and techniques employed by adversaries, enhancing an organization’s capability to respond effectively to these emerging threats.
