A high-severity vulnerability in the Java ZK Framework that could result in a remote code execution (RCE) was added to a vulnerabilities catalog Feb. 27 by the Cybersecurity and Infrastructure Security Agency (CISA).
In a March 1 blog post, Ryan Cribelar of Nucleus Security, said it’s highly likely that CISA added the vulnerability — CVE-2022-36537, which has a CVSS score of 7.5 — to the Known Exploited Vulnerabilities (KEV) catalog after FOX IT reported that there were hundreds of open-facing ConnectWise R1Soft Server Backup Manager servers exploited in the wild. FOX IT later removed the report, but efforts to determine why it was taken down were not successful. The vulnerability exists because of a specially crafted POST request that can lead to information leakage of sensitive files normally hidden to the user.
“The cherry on top for the attackers was that the software they found the RCE vulnerability in is a backup management software,” explained Cribelar. “When you get into a server that is hosting backups for all other machines, that’s where you can push danger outward.”
ZK is one of the leading open-source Java Web frameworks for building enterprise web applications, with more than 2 million downloads.
Huntress researchers reported in a blog last fall that the ZK Framework vulnerability was first discovered last spring by Markus Wulftange of Code White GmbH. Once following responsible disclosure, Code White GmbH helped encourage the patched release of ZK version 9.7.2 in May 2022.
According to Huntress, a colleague of Wulftange, Florian Hauser (@frycos), saw that the ZK library was bundled with ConnectWise R1Soft Server Backup Manager software and tried to notify ConnectWise in July 2022. Without a response after the 90-day disclosure standard, Hauser teased screenshots of how to replicate the issue on Twitter. Days later, the post was removed and ConnectWise later asked researchers to use the disclosure form located on its Trust Center homepage.
Based on Hauser’s tweet, the Huntress researchers took it upon themselves to reproduce the issue and expand on the proof-of-concept exploit. In the report last fall, Huntress explained how it took existing POV code and used it to later achieve device takeover and spread Lockbit 3.0 in a demo environment using R1Soft backup servers.
In updating its blog on Feb. 27, Huntress confirmed that the vulnerability CISA placed on the KEV catalog is now being exploited by threat actors.
Cribelar added that any organization using the ZK Framework needs to do the patch from last May, especially if it’s an application running business-critical data.
ConnectWise CISO Patrick Beggs said the company issued a fix for the flaw in October, and encouraged partners with on-premise instances to install the patch as soon as possible as threat actors are targeting unpatched servers.
Andrew Barratt, vice president at Coalfire, added that RCE vulnerabilities are a "particular kind of nasty," especially in an underlying interpreted framework such as Java. Barratt said that the ZK Framework vulnerability becomes more worrying because it is designed for enterprise web applications, so a remote code execution vulnerability could leave many sites affected.
"My guess would be that there are threat actors already building scan and attack tools so that they can quickly gain initial access to ZK-based websites to either sell access or to build further compromise positions,” said Barratt.