The United States Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations that threat actors are actively exploiting CVE-2022-36537 in attacks. The agency has added this vulnerability to their “Known Exploited Vulnerabilities Catalog”. CVE-2022-36537 is a high-severity (7.5/10) flaw impacting the ZK Framework on versions 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, and 9.6.1 and enables attackers to access sensitive information by sending a malicious POST request to the AuUploader component. The flaw was discovered last year by Markus Wulftange and was patched by ZK on May 5, 2022, in version 9.6.2. CISA has set a deadline of March 20,2023 to apply this update, giving federal agencies roughly three additional weeks to patch.
The ZK Framework is an open-source Ajax Web app framework written in Java that enables web developers to create graphical user interfaces for web applications with minimal effort and programming knowledge. The framework is widely employed in projects of all types and sizes, making the effects of this vulnerability far-reaching. Notable products using this framework include some versions of ConnectWise Recover and ConnectWise R1SoftServer Backup Manager. Exploitation of ConnectWise R1Soft Server Backup Manager software is what led to this vulnerability being moved to the “Known Exploited Vulnerabilities Catalog”, as this was seen used to gain initial access in an incident detailed by Fox-IT. Based on this incident, additional research from their team indicated that at least 286 servers were exploited in the same way since November 2022.