There is an active exploitation of a remote code execution vulnerability that affects multiple versions of the ZK Framework. Assigned with CVE-2022-36537, the vulnerability may allow an attacker to access critical information by sending a specially crafted POST request to the AuUploader component. Markus Wulftange of Code White GmbH discovered the vulnerability last year, and ZK addressed the flaw on May 05, 2022.
NCC Group’s Fox-IT team published a report describing the active exploitation of this vulnerability in attacks on ConnectWise R1Soft Server Backup Manager software. Post this report, CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it by March 20, 2023. Further analysis revealed multiple proof-of-concept (PoC) exploits were published on GitHub in December 2022.
ZK is an open-source Ajax Web app framework written in Java. The framework allows Web designers to easily and quickly construct graphical user interfaces for web apps. The ZK framework is widely used in projects of various types and sizes. ConnectWise Recover, version 2.9.7 and earlier, and ConnectWise R1SoftServer Backup Manager, version 6.16.3 and earlier, are some examples of products that use the ZK framework.
A security flaw in the ZK AuUploader servlets can be used to get the contents of files stored in the web context. This includes files usually hidden from the user in WEB-INF, such as web.xml, zk.xml, etc.
To exploit the flaw, an attacker could send a fake request to the /zkau/upload endpoint in the vulnerable versions. If the fake request contains the nextURI parameter, the AuUploader will try to forward the request internally and output any found document into the response.
This forward is internal; thus, it has access to documents in the WEB-INF folder, which makes internal files like web.xml, zk.xml in this directory visible.
The vulnerability affects ZK Framework versions 9.6.1, 220.127.116.11, 18.104.22.168, 22.214.171.124, and 126.96.36.199.
ZK has fixed the vulnerability in the following versions:
- 188.8.131.52 (security release)
- 184.108.40.206 (security release)
- 220.127.116.11 (security release)
- 18.104.22.168 (security release)
As per the advisory, “The secure list contains security releases for ZK branches from 8.6.X up to 9.6.0.X, and the main release 9.6.2.”
Customers can refer to the official ZK Security Advisory for more information about the vulnerability.
Qualys customers can scan their devices with QID 990394 to detect vulnerable assets.
QID 990934 is currently available via the SCA (Software Composition Analysis) capabilities for Container Security.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.