Chris Swagler | March 9th, 2023

CVE-2022-36537 was added to the United States Cybersecurity & Infrastructure Security Agency (CISA) “Known Exploited Vulnerabilities Catalog” after threat actors began actively exploiting the remote code execution (RCE) bug in attacks. CVE-2022-36537 is a very critical (CVSS v3.1: 7.5) weakness that affects ZK Framework versions 9.6.1,,,, and, allowing threat operators to obtain private information by sending a specially crafted POST request to the AuUploader component. According to the CISA, ZK Framework AuUploader servlets feature an unidentified vulnerability that can allow threat operators to acquire the file’s content contained in the web context. Last year, the flaw was uncovered and ZK rectified it on May 5, 2022, with version 9.6.2. ZK is a Java-based open-source Ajax Web app framework allowing web developers to construct graphical user interfaces for web applications with little effort and programming skills.

Because the ZK framework is frequently used in projects of all sizes and types, the impact of the flaw is widespread and far-reaching. The managed service provider (MSP) products, including Recover, version 2.9.7 and earlier, and R1SoftServer Backup Manager, version 6.16.3 and earlier, are using the ZK framework. The vulnerability is a common attack vector for malicious cyber threat actors and is a substantial threat to federal agencies. CISA implement a deadline for federal agencies to March 20, 2023, to install available security updates, allowing the agencies three weeks to respond to the security risk and take appropriate steps to protect their networks.

The vulnerability being added to CISA’s Known Exploited Vulnerabilities Catalog came after a cybersecurity company’s IT team published a report detailing how the flaw was actively exploited in attacks. A threat operator used CVE-2022-36537 to obtain initial access to the R1Soft Server Backup Manager software during a recent incident response. The threat operators took control of downstream systems linked through the R1Soft Backup Agent and installed a malicious database driver with backdoor capabilities, allowing them to execute commands on all systems connected to the R1Soft server. Additional investigation was conducted and discovered that global exploitation attempts against R1Soft server software have been ongoing since November 2022, with around 286 servers detected running the backdoor as of January 9, 2023. The vulnerability’s exploitation isn’t surprising considering numerous proof-of-concept (PoC) exploits were published in December 2022. Tools for conducting attacks against unpatched R1Soft Server Backup Manager deployments are vastly available which makes it critical for administrators to update to the recent version.

With the most recent vulnerability being exploited by threat operators, it’s critical for companies to always remain vigilant of the current threat landscape and regularly update their data network framework. At SpearTip, our certified engineers are ready to respond to incidents and are continuously working in an investigative cycle at our 24/7/365 Security Operations Center monitoring companies’ data networks for potential cyber threats. With our risk assessments, we designed the assessments for each client to uncover gaps in security and include a technical summary with an individualized risk report detailing necessary steps to remediate the gaps. Our ShadowSpear platform, an integrable solution tool, uses detection engines powered by artificial intelligence (AI) and attack tactics, techniques, and procedures (TTP) models to detect malicious activities.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.