CISA: ZK Java Framework RCE Flaw Under Active Exploit

  /     /     /  
Publicated : 23/11/2024   Category : security


CISA: ZK Java Framework RCE Flaw Under Active Exploit


The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately.



A high-severity authentication bypass vulnerability in a widely used open source Java framework is under active exploit by threat actors, who are using the flaw to deploy backdoors to unpatched servers, the US Cybersecurity and Infrastructure Security Agency (CISA) and security researchers are warning.
The scenario could pose a significant
supplychain threat
for any unpatched software that uses the affected Java library, which is found in
the ZK Java Web Framework
, experts said.
The CISA has added
CVE-2022-36537
, which affects ZK Java Web Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, to its catalog of Known Exploited Vulnerabilities (KEV).
The flaw, found in ZK Framework AuUploader servlets, could allow an attacker to retrieve the content of a file located in the Web context, and thus steal sensitive information, according to
the KEV listing
. This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager, CISA said.
Indeed, the flaw first drew widespread attention in October 2022 when ConnectWise sounded an alarm over its existence in its products — specifically, ConnectWise Recover and R1Soft server backup manager technologies. Senior security researchers John Hammond and Caleb Stewart at Huntress subsequently
published a blogpost
about how the flaw can be exploited.
In an update to that blog post published concurrent with the CISAs advisory, Huntress warned that the vulnerability discovered last year in ConnectWises R1Soft Server Backup Manager software has now been seen exploited in the wild to deploy backdoors on hundreds of servers via
CVE-2022-36537
.
CISA and Huntress both based their warnings on research from Fox-IT published Feb. 22 that found evidence of a threat actor using a vulnerable version of ConnectWise R1Soft Server Backup Manager software as an initial point of access
and
as a platform to control downstream systems connected via the R1Soft Backup Agent, the researchers wrote
in a blog post.
This agent is installed on systems to support being backed up by the R1Soft server software and typically runs with high privileges, according to the post. This means that after the adversary initially gained access via the R1Soft server software it was able to execute commands on all systems running the agent connected to this R1Soft server.
For its part, ConnectWise moved swiftly to patch the products in October,
pushing out an automatic update
to both the cloud and client instances of ConnectWise Server Backup Manager (SBM), and urging customers of the R1Soft server backup manager to upgrade immediately to the new SBM v6.16.4.
A researcher from Germany-based security vendor Code White GmbH was the first to identify CVE-2022-36537 and report it to the maintainers of the ZK Java Web Framework in May 2022. They fixed the issue in
version 9.6.2
of the framework.
ConnectWise became aware of the flaw in its products when another researcher from the same company discovered that ConnectWises R1Soft SBM technology was using the vulnerable version of the ZK library and reported the issue to the company, according to the Huntress blog post.
When the company did not respond in 90 days, the researcher teased a few details on how the flaw could be exploited on Twitter, which researchers from Huntress used to replicate the vulnerability and refine a proof-of-concept (PoC) exploit.
Huntress researchers ultimately demonstrated they could leverage the vulnerability to leak server private keys, software license information, and system configuration files and eventually gain remote code execution in the context of a system superuser.
At the time, researchers identified upwards of 5,000 exposed server manager backup instances via Shodan — all of which had the potential to be exploited by threat actors, along with their registered hosts, they said. But they surmised that the vulnerability had the potential to impact significantly more machines than that.
When Huntress did its analysis of the flaw, there was no evidence of active exploit. Now, with that scenario changed, any unpatched versions of the ZK Java Web Framework found not only in ConnectWise but also other products are fair game for threat actors, which could create significant
risk for the supply chain
.
Fox-ITs research indicates that worldwide exploitation of ConnectWises R1Soft server software started around the end of November, soon after Huntress released its PoC.
With the help of fingerprinting, we have identified multiple compromised hosting providers globally, the researchers wrote.
In fact, Fox-IT researchers said on Jan. 9 that they had identified a total of 286 servers running R1Soft server software with a specific backdoor.
CISA is urging that any organizations still using unpatched versions of the affected ConnectWise products update their products per vendor instructions, according to the KEV listing. And while, so far, the existence of the flaw is known only in the ConnectWise products, other software using unpatched versions of the framework would be vulnerable as well.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CISA: ZK Java Framework RCE Flaw Under Active Exploit