ConnectWise, a provider of IT service management software, announced a critical remote code execution (RCE) vulnerability in their server backup solution.
ConnectWise recently published software patches to address CVE-2022-36537, an RCE vulnerability that affects the Java framework “ZK” Ajax web application framework used within the ConnectWise R1Soft software Server Backup Manager (SBM) SE. It is described as “improper neutralization of special elements in output used by a downstream component,” which could allow execution of remote code or disclosure of sensitive information.
The vulnerability affects the following products:
The flaw was discovered by security researchers who published a video proof-of-concept (POC) demonstrating how attackers could exploit the vulnerability to take complete control of affected systems. Their research identified “upwards of 5,000 exposed server manager backup instances,” potentially exposing companies to supply chain risks.
ConnectWise stated that they have pushed out an automatic update to both the cloud and client instances of ConnectWise SBM, the R1Soft server backup manager to upgrade immediately to the new SBM v6.16.4.
Nuspire is not utilizing an affected version of ConnectWise.
Clients using ConnectWise Recover or R1Soft SBM should review the following recommendations:
ConnectWise Recover: Affected ConnectWise Recover SBMs should have been automatically updated. Verify you are on the most recent version of Recover (v2.9.9).
R1Soft: Upgrade the server backup manager to SBM v6.16.4 released Oct. 28, 2022 using the R1Soft upgrade wiki.