The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has recently issued a warning about a remote code execution (RCE) flaw that is being exploited by cybercriminals. The flaw, identified as CVE-2022-36537, has been added to CISA’s “Known Exploited Vulnerabilities Catalog,” and it affects several versions of the ZK Framework, including 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1. The vulnerability allows attackers to gain access to sensitive information by sending a carefully crafted POST request to the AuUploader component. ZK addressed the issue with the release of version 9.6.2 on May 05, 2022.
The ZK Framework is an open-source Ajax Web app framework written in Java, which makes it easy for web developers to create graphical user interfaces for web applications with minimal effort and programming knowledge. Due to its widespread usage in projects of all sizes and types, the vulnerability has a significant impact.
Several notable products that employ the ZK framework, such as ConnectWise Recover, version 2.9.7 and earlier, and ConnectWise R1SoftServer Backup Manager, version 6.16.3 and earlier, are affected by this vulnerability.
CISA has warned that this type of vulnerability is frequently targeted by malicious cyber actors and poses a severe threat to federal enterprises. Therefore, it is recommended that institutions/organizations implement the published updates immediately.