US
CISA
added
an
actively
exploited
vulnerability
in
the
ZK
Java
Web
Framework
to
its
Known
Exploited
Vulnerabilities
Catalog.
U.S.
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
has
added
a
vulnerability,
tracked
as
CVE-2022-36537 (CVSS
score:
7.5),
in
the
ZK
Java
Web
open-source
framework
to
its Known
Exploited
Vulnerabilities
Catalog.
An
attacker
can
exploit
the
flaw
to
retrieve
sensitive
information
through
specially
crafted
POST
requests
sent
to
the
component
AuUploader.
“ZK
Framework
AuUploader
servlets
contain
an
unspecified
vulnerability
that
could
allow
an
attacker
to
retrieve
the
content
of
a
file
located
in
the
web
context.
The
ZK
Framework
is
an
open-source
Java
framework.”
reads
the
advisory.
The
vulnerability
affects
ZK
Framework
versions
9.6.1,
9.6.0.1,
9.5.1.3,
9.0.1.2,
and
8.6.4.1.
This
flaw
impacts
multiple
products,
including
but
not
limited
to
ConnectWise
R1Soft
Server
Backup
Manager.
According
to Binding
Operational
Directive
(BOD)
22-01:
Reducing
the
Significant
Risk
of
Known
Exploited
Vulnerabilities,
FCEB
agencies
have
to
address
the
identified
vulnerabilities
by
the
due
date
to
protect
their
networks
against
attacks
exploiting
the
flaws
in
the
catalog.
Experts
recommend
also
private
organizations
review
the Catalog and
address
the
vulnerabilities
in
their
infrastructure.
CISA
orders
federal
agencies
to
fix
this
flaw
by March
20,
2023.
The
vulnerability
was
reported
by
Markus
Wulftange
of
Code
White
GmbH,
it
was
addressed
by
the
vendor
in
May
2022
with
the
release
of
versions
9.6.2,
9.6.0.2,
9.5.1.4,
9.0.1.3,
and
8.6.4.2.
In
October
2022,
researchers
from
Huntress
published
a
proof-of-concept
(PoC)
exploit
code
As demonstrated by
Huntress
in
a
proof-of-concept
(PoC)
in
October
2022.
The
following
video
demonstrates
the
POC
exploit
being
used
to
these
aforementioned
steps:
1)
bypass
authentication,
2)
upload
a
backdoored
JDBC
database
driver
to
gain code
execution,
and
3)
use
the
REST
API
to
trigger
commands
to
registered
agents
to
ultimately push
the recently
leaked
Lockbit
3.0
ransomware to
all
downstream
endpoints.
Researchers
from
Fox-IT recently
reported
the
active
exploitation
of
the
flaw
to
deploy
a
backdoor.
“During
a
recent
incident
response
case,
we
found
traces
of
an
adversary
leveraging
ConnectWise
R1Soft
Server
Backup
Manager
software
(hereinafter:
R1Soft
server
software).
The
adversary
used
it
as
an
initial
point
of
access and as
a
platform
to
control
downstream
systems
connected
via
the
R1Soft
Backup
Agent.
This
agent
is
installed
on
systems
to
support
being
backed
up
by
the
R1Soft
server
software
and
typically
runs
with
high
privileges.
This
means
that
after
the
adversary
initially
gained
access
via
the
R1Soft
server
software
it
was
able
to
execute
commands
on
all
systems
running
the
agent
connected
to
this
R1Soft
server.”
reads
the
post
published
by
Fox-IT.
“The
adversary
exploited
the
R1Soft
server
software
via
CVE-2022-36537 [1] [2],
which
is
a
vulnerability
in
the
ZK
Java
Framework
that
R1Soft
Server
Backup
Manager
utilises.”
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
ZK
Java
Web
Framework)
Share
On
About Author
