The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added high-severity flaws affecting the ZK framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. bottom.
This issue, tracked as CVE-2022-36537 (CVSS score: 7.5), affects ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, allowing attackers to obtain sensitive information in the following ways: A specially crafted request.
“The ZK framework is an open source Java framework,” said CISA. “This vulnerability could affect multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager.”
This vulnerability was patched in versions 9.6.2, 9.6.0.2, 9.5.1.4, 9.0.1.3, and 8.6.4.2 in May 2022.
As demonstrated in a proof of concept (PoC) by Huntress in October 2022, this vulnerability was weaponized to bypass authentication and upload a backdoored JDBC database driver to execute code, allowing the affected can deploy ransomware to vulnerable endpoints.
Singapore-based Numen Cyber Labs published its own PoC in December 2022 and also warned that it discovered over 4,000 Server Backup Manager instances exposed on the internet.
Is your business ready for the top SaaS 🛡️ security challenges of 2023? Learn how to tackle them – join the webinar today!
As NCC Group’s Fox-IT research team revealed last week, the vulnerability has since been extensively exploited, gaining initial access and deploying a web shell backdoor on 286 servers.
The majority of infections occur in the United States, South Korea, United Kingdom, Canada, Spain, Colombia, Malaysia, Italy, India and Panama. As of February 20, 2023, a total of 146 R1Soft servers remain backdoored.
“During the course of the breach, the attackers were able to exfiltrate VPN configuration files, IT management information, and other sensitive documents,” Fox-IT said.
