ConnectWise Recover and R1Soft risk overview:
CyberHoot heard from him Fast 7 The day of active exploitation of CVE-2022-36537 In vulnerable versions of ConnectWise R1Soft Server Backup Manager software. The underlying vulnerability is related to ZK Framework. It is an open source Java framework used to create web applications. ConnectWise uses the ZK Framework in its popular R1Soft and Recovery products. The vulnerability is used for remote code execution and installation of malicious device drivers that may include remote access functionality. After a successful compromise, the attackers were able to execute commands on all systems running the ConnectWise Backup Agent connected to the R1Soft server.
It ConnectWise Consulting and NVD entry for CVE-2022-36537 Report the flaw as an information disclosure vulnerability. Rapid7 believes this classification significantly reduces the risk and impact of CVE-2022-36537. CyberHoot and Rapid7 believe this is an underreporting of the criticality of this risk. Instead we recommend an emergency assessment and repair of your affected systems.
Additionally, there are other ZK Framework integrations that will likely be revealed in the coming days or weeks. Please check your environment for any other solution using the exposed Java ZK framework.
ConnectWise systems are affected
what should you do?
Companies should review their inventory of hardware and software assets looking to use the ZK Framework. Repair immediately if you are at risk.
Review the vulnerability scan data for additional exposure. In all cases, follow your Vulnerability Alert Management Process (VAMP) and remediate as required.
For CyberHoot vCISO customers, this is a critical hardware issue that needs to be fixed immediately when and where found due to the significant potential for highly impactful compromises of multiple devices and systems.
ConnectWise may have already patched some systems:
According to ConnectWise Consulting, affected ConnectWise Recover SBMs were automatically updated to the latest version of Recover (v2.9.9). However, for R1Soft, upgrade the Server Backup Manager to SBM v6.16.4 released on October 28, 2022 via R1Soft upgrade wiki from ConnectWise.
Other expected ZK Framework concerns:
ZK Framework is an open source Java framework used to create web applications. Since we know ConnectWise uses this framework, we know there are fixes to apply. There may be many other web applications that use this Java Framework. Please evaluate the exposure of your web applications independently of the advice of CyberHoot, ConnectWise or others to determine other points of risk for your organization.
