The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2022-36537 (CVSS score: 7.5) to its Known Exploited Vulnerabilities Catalog. The vulnerability, which affects ZK Framework versions 9.6.1, 18.104.22.168, 22.214.171.124, 126.96.36.199, and 188.8.131.52, is an unspecified vulnerability in the ZK Java Web open-source framework that could allow an attacker to retrieve the content of a file located in the web context.
According to the Binding Operational Directive (BOD) 22-01, federal agencies must address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Private organizations are also encouraged to review the Catalog and address the vulnerabilities in their infrastructure. CISA has ordered federal agencies to fix this flaw by March 20, 2023.
The vulnerability was addressed by the vendor in May 2022 with the release of versions 9.6.2, 184.108.40.206, 220.127.116.11, 18.104.22.168, and 22.214.171.124. In October 2022, researchers from Huntress published a proof-of-concept (PoC) exploit code demonstrating how the vulnerability could be used to bypass authentication, upload a backdoored JDBC database driver to gain code execution, and use the REST API to trigger commands to registered agents to ultimately push the recently leaked Lockbit 3.0 ransomware to all downstream endpoints.
Fox-IT researchers recently reported the active exploitation of the flaw to deploy a backdoor. As Markus Wulftange of Code White GmbH stated, “The adversary used it as an initial point of access and as a platform to control downstream systems connected via the R1Soft Backup Agent. This agent is installed on systems to support being backed up by the R1Soft server software and typically runs with high privileges.”