The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2022-36537, a high-severity flaw impacting the ZK Framework, to its “Known Exploited Vulnerabilities (KEV)” catalog based on evidence of active exploitation.
The vulnerability, cited as a remote code execution (RCE) flaw, impacts ZK Framework versions 9.6.1, 188.8.131.52, 184.108.40.206, 220.127.116.11 and 18.104.22.168 and enables threat actors to access sensitive information via specially crafted POST requests to the AuUploader component.
CVE-2022-36537 is already under mass exploitation, as evidenced by researchers, prior to the addition of the vulnerability to CISA’s KEV catalog. Worldwide exploitation attempts have been suspected since at least November 2022. This exploitation is not unexpected, as multiple proof-of-concept (PoC) exploits were published on GitHub in December 2022.
According to CISA, ZK Framework is an open-source Java framework that web developers use to create graphical use interfaces (GUIs) for web apps without needing to have a lot of programming knowledge. Notable examples of products using the ZK Framework include ConnectWise Recover, version 2.9.7 and earlier, and ConnectWise R1SoftServer Backup Manager, version 6.16.3 and earlier.
Nuspire is not affected by this vulnerability.
While CISA’s patching policies are only applicable to federal organizations, their guidance is valuable for any organization using technology cited in their advisories. CISA provides a “Known Exploited Vulnerabilities Catalog,” which organizations can use while reviewing their technology stack and managing their vulnerability program. Here’s a list of steps organizations can take to protect themselves: