7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.938 High
EPSS
Percentile
98.8%
ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
Recent assessments:
ccondon-r7 at March 01, 2023 6:39pm UTC reported:
The core vuln here is an info leak in ZK Framework, which — yep, you guessed it! — is a popular open-source Java library used to create enterprise mobile and web apps. The original advisory, NVD entry, and CVSS score are all predicated on the mere info leak, but as it turns out, other popular software that uses ZK Framework is vulnerable to full-on remote code execution via CVE-2022-36537. Both Huntress and NCC Group have noted that this bug is being exploited in vulnerable ConnectWise R1Soft Server Backup Manager software to gain initial access to target systems and then do a variety of not-good things, including installing malicious JDBC database drivers to backdoor systems, deploying ransomware, and so on.
Per various write-ups and public PoCs analyzed by @sfewer-r7, the following seems to happen:
Attacker uses the CVE-2022-36537 to leak the contents of /Configuration/database-drivers.zul
, which yields a unique secret ID value
Armed with this value, attacker exploits vuln again to reach an endpoint that allows them to upload the JDBC driver, which functions as a handy backdoor
Attacker can now use the REST API to issue commands to registered agents to do nefarious things, like, you know, deploy your ransomware of choice to downstream systems
Oh and hey there are supply chain implications
We know the ConnectWise R1Soft vector is in active use and is easily exploitable, but this being a library vuln (so hot right now), that’s almost certainly not going to be the only attack vector. Some light recon done by folks smarter than me (namely the aforementioned @sfewer-r7) indicates there are plenty of other things that use ZK Framework. The question is which are vulnerable to remote exploits out of the box. Knocking this down an exploitability point overall simply because other applications may not be quite as easily exploitable remotely as the ConnectWise software.
If you’re using a vulnerable R1Soft Server Backup Manager version, please patch immediately. The NCC Group’s FOX IT team has a great write-up with IOCs and attack details.
cbeek-r7 at February 28, 2023 8:41am UTC reported:
The core vuln here is an info leak in ZK Framework, which — yep, you guessed it! — is a popular open-source Java library used to create enterprise mobile and web apps. The original advisory, NVD entry, and CVSS score are all predicated on the mere info leak, but as it turns out, other popular software that uses ZK Framework is vulnerable to full-on remote code execution via CVE-2022-36537. Both Huntress and NCC Group have noted that this bug is being exploited in vulnerable ConnectWise R1Soft Server Backup Manager software to gain initial access to target systems and then do a variety of not-good things, including installing malicious JDBC database drivers to backdoor systems, deploying ransomware, and so on.
Per various write-ups and public PoCs analyzed by @sfewer-r7, the following seems to happen:
Attacker uses the CVE-2022-36537 to leak the contents of /Configuration/database-drivers.zul
, which yields a unique secret ID value
Armed with this value, attacker exploits vuln again to reach an endpoint that allows them to upload the JDBC driver, which functions as a handy backdoor
Attacker can now use the REST API to issue commands to registered agents to do nefarious things, like, you know, deploy your ransomware of choice to downstream systems
Oh and hey there are supply chain implications
We know the ConnectWise R1Soft vector is in active use and is easily exploitable, but this being a library vuln (so hot right now), that’s almost certainly not going to be the only attack vector. Some light recon done by folks smarter than me (namely the aforementioned @sfewer-r7) indicates there are plenty of other things that use ZK Framework. The question is which are vulnerable to remote exploits out of the box. Knocking this down an exploitability point overall simply because other applications may not be quite as easily exploitable remotely as the ConnectWise software.
If you’re using a vulnerable R1Soft Server Backup Manager version, please patch immediately. The NCC Group’s FOX IT team has a great write-up with IOCs and attack details.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.938 High
EPSS
Percentile
98.8%