Hundreds of R1Soft Servers Compromised Through CVE-2022-36537

February 22, 2023

Hundreds of R1Soft servers have been compromised through exploitation of a vulnerability tracked as CVE-2022-36537, according to cybersecurity company Fox-IT. The vulnerability was discovered last year in ConnectWise’s R1Soft Server Backup Manager software and patched in May 2022.

"With the help of fingerprinting, we have identified multiple compromised hosting providers globally," said Fox-IT in a blog post on Wednesday. Fox-IT identified 286 backdoored servers in late January, mainly in the United States and South Korea, and the number dropped to 146 backdoored servers by February 20. The attackers exfiltrated files from compromised systems, including VPN configuration files, IT admin information, and sensitive documents.

Fox-IT has released indicators of compromise (IoCs) that can help organizations determine whether their systems have been hacked through exploitation of CVE-2022-36537. Organizations are urged to patch their installations as soon as possible to prevent exploitation of the vulnerability.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.