After threat actors started aggressively using the ZK Java Framework remote code execution (RCE) flaw in attacks, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2022-36537 to its “Known Exploited Vulnerabilities Catalog.”

The ZK Framework versions 9.6.1,,,, and are all affected by the high-severity (CVSS v3.1: 7.5) CVE-2022-36537 flaw, which allows attackers to obtain sensitive data by submitting a specifically designed POST request to the AuUploader component.

According to CISA’s description of the flaw, “ZK Framework AuUploader servlets feature an unspecified vulnerability that could enable an attacker to obtain the content of a file in the web context.”

Markus Wulftange found the vulnerability last year, and ZK fixed it on May 5, 2022, with the release of 9.6.2. Web designers can easily and quickly build graphical user interfaces for web applications with the help of the open-source Java Ajax Web app framework ZK.

The flaw has a wide-ranging effect because the ZK framework is widely used in projects of all shapes and sizes. ConnectWise Recover, version 2.9.7 and earlier, and ConnectWise R1SoftServer Backup Manager, version 6.16.3 and earlier, are notable instances of products using the ZK framework.

According to CISA, this vulnerability “poses a major risk to the federal business” and is a common attack vector for bad actors online. CISA gave federal agencies approximately three weeks to address the security risk and take appropriate action by setting the deadline to implement the available security updates to March 20, 2023.

Actively exploited

This vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalogue after the Fox-IT team of NCC Group released a paper outlining how the flaw was being actively used in attacks.

According to Fox-IT, it was found that an adversary used CVE-2022-36537 to obtain initial access to the ConnectWise R1Soft Server Backup Manager software during a recent incident response.

The attackers installed a malicious database driver with a backdoor, giving them access to all systems connected to that R1Soft server. The attackers then influenced downstream completion via the R1Soft Backup Agent.

Fox-IT conducted further research into that incident and discovered that R1Soft server software had been the target of global exploitation attempts since November 2022. As of January 9, 2023, at least 286 servers were found to be running this backdoor.

However, the fact that the flaw was exploited is not shocking because several proofs-of-concept (PoC) attacks were made public on GitHub in December 2022. The availability of tools to launch attacks against unfixed R1Soft Server Backup Manager deployments makes it essential for admins to update to the most recent version.