The United States Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations that threat actors are actively exploiting CVE-2022-36537 in attacks. The agency has added this vulnerability to their “Known Exploited Vulnerabilities Catalog”. CVE-2022-36537 is a high-severity (7.5/10) flaw impacting the ZK Framework on versions 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, and 9.6.1 and enables attackers to access sensitive information by sending a malicious POST request to the AuUploader component. The flaw was discovered last year by Markus Wulftange and was patched by ZK on May 5, 2022, in version 9.6.2. CISA has set a deadline of March 20,2023 to apply this update, giving federal agencies roughly three additional weeks to patch.
The ZK Framework is an open-source Ajax Web app framework written in Java that enables web developers to create graphical user interfaces for web applications with minimal effort and programming knowledge. The framework is widely employed in projects of all types and sizes, making the effects of this vulnerability far-reaching. Notable products using this framework include some versions of ConnectWise Recover and ConnectWise R1SoftServer Backup Manager. Exploitation of ConnectWise R1Soft Server Backup Manager software is what led to this vulnerability being moved to the “Known Exploited Vulnerabilities Catalog”, as this was seen used to gain initial access in an incident detailed by Fox-IT. Based on this incident, additional research from their team indicated that at least 286 servers were exploited in the same way since November 2022.
While this vulnerability was patched nearly a year ago, it is still being actively exploited in many organizations. This demonstrates the need for two key functions in any organization – threat intelligence and a patching schedule. Adequate threat intelligence is needed in an organization for a variety of different reasons, but one key reason is to ensure that the organization is made aware of any vulnerabilities that have been released in a timely manner. Threat intelligence works hand-in-hand with a patching schedule, as without it, the team performing the patching may overlook a vulnerability as unimportant or may not be aware of it in the first place. An adequate patching schedule is needed in any organization, as without it, threat intelligence may go unactioned and leave gaps in an environment that an attacker could exploit, leading to the organization being compromised. These two functions both build off each other – if one is lacking, then the overall security of the organization will be affected.