U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability, tracked as CVE-2022-36537 (CVSS score: 7.5), in the ZK Java Web open-source framework to its Known Exploited Vulnerabilities Catalog. An attacker can exploit the flaw to retrieve sensitive information through specially crafted POST requests sent to the component AuUploader.
“ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context. The ZK Framework is an open-source Java framework.” reads the advisory.
The vulnerability affects ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1.
This flaw impacts multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this flaw by March 20, 2023.
The vulnerability was reported by Markus Wulftange of Code White GmbH, it was addressed by the vendor in May 2022 with the release of versions 9.6.2, 9.6.0.2, 9.5.1.4, 9.0.1.3, and 8.6.4.2.
In October 2022, researchers from Huntress published a proof-of-concept (PoC) exploit code
As demonstrated by Huntress in a proof-of-concept (PoC) in October 2022.
The following video demonstrates the POC exploit being used to these aforementioned steps: 1) bypass authentication, 2) upload a backdoored JDBC database driver to gain code execution, and 3) use the REST API to trigger commands to registered agents to ultimately push the recently leaked Lockbit 3.0 ransomware to all downstream endpoints.
Researchers from Fox-IT recently reported the active exploitation of the flaw to deploy a backdoor.
“During a recent incident response case, we found traces of an adversary leveraging ConnectWise R1Soft Server Backup Manager software (hereinafter: R1Soft server software). The adversary used it as an initial point of access and as a platform to control downstream systems connected via the R1Soft Backup Agent. This agent is installed on systems to support being backed up by the R1Soft server software and typically runs with high privileges. This means that after the adversary initially gained access via the R1Soft server software it was able to execute commands on all systems running the agent connected to this R1Soft server.” reads the post published by Fox-IT. “The adversary exploited the R1Soft server software via CVE-2022-36537 [1] [2], which is a vulnerability in the ZK Java Framework that R1Soft Server Backup Manager utilises.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ZK Java Web Framework)