According to an advisory published by ConnectWise, a critical remote code execution vulnerability, tracked as CVE-2022-36537, could allow an attacker to directly access confidential data. The bug affected ConnectWise recover v2.9.7 and earlier versions along with R1 Soft SBM v6.16.3 and earlier versions. Huntress researchers explained that the authentication bypass and sensitive file leak affect the Java framework “ZK” Ajax web application framework used within the ConnectWise R1Soft software Server Backup Manager SE. The researchers published a video PoC that demonstrated this vulnerability being exploited.
ConnectWise has announced that they do not have any evidence of the vulnerability currently being exploited in the wild. Anyone that runs this software should ensure that they are staying up to date on security patches and are running the most current version to prevent them from being susceptible to the vulnerability.