ConnectWise Reports Critical Remote Code Execution (RCE) Vulnerability: What You Need to Know

ConnectWise, a provider of IT service management software, announced a critical remote code execution (RCE) vulnerability in their server backup solution.

What’s going on?

ConnectWise recently published software patches to address CVE-2022-36537, an RCE vulnerability that affects the Java framework “ZK” Ajax web application framework used within the ConnectWise R1Soft software Server Backup Manager (SBM) SE. It is described as “improper neutralization of special elements in output used by a downstream component,” which could allow execution of remote code or disclosure of sensitive information.

The vulnerability affects the following products:

  • ConnectWise Recover version 2.9.7 and earlier versions
  • R1Soft SBM version 6.16.3 and earlier versions

The flaw was discovered by security researchers who published a video proof-of-concept (POC) demonstrating how attackers could exploit the vulnerability to take complete control of affected systems. Their research identified “upwards of 5,000 exposed server manager backup instances,” potentially exposing companies to supply chain risks.

What is ConnectWise doing about it?

ConnectWise stated that they have pushed out an automatic update to both the cloud and client instances of ConnectWise SBM, the R1Soft server backup manager to upgrade immediately to the new SBM v6.16.4.

What is Nuspire doing?

Nuspire is not utilizing an affected version of ConnectWise.

What should I do?

Clients using ConnectWise Recover or R1Soft SBM should review the following recommendations:

ConnectWise Recover: Affected ConnectWise Recover SBMs should have been automatically updated. Verify you are on the most recent version of Recover (v2.9.9).

R1Soft: Upgrade the server backup manager to SBM v6.16.4 released Oct. 28, 2022 using the R1Soft upgrade wiki.

Have you registered for our next event?