Security News > 2022 > November > Critical RCE Vulnerability Reported in ConnectWise Server Backup Solution
IT service management software platform ConnectWise has released Software patches for a critical security vulnerability in Recover and R1Soft Server Backup Manager.
ConnectWise's advisory notes that the flaw affects Recover v2.9.7 and earlier, as well as R1Soft SBM v6.16.3 and earlier, are impacted by the critical flaw.
At its core, the issue is tied to an upstream authentication bypass vulnerability in the ZK open source Ajax web application framework, which was initially patched in May 2022.
"Affected ConnectWise Recover SBMs have automatically been updated to the latest version of Recover," the company said, urging customers to upgrade to SBM v6.16.4 shipped on October 28, 2022.
Cybersecurity firm Huntress said it identified "Upwards of 5,000 exposed server manager backup instances," potentially exposing companies to supply chain risks.
"The access an attacker can gain by using this authentication bypass vulnerability is specific to the application being exploited, however there is serious potential for other applications to be affected in a similar way to R1Soft Server Backup Manager."
News URL
https://thehackernews.com/2022/11/critical-rce-vulnerability-reported-in.html
Related news
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Veeam RCE bug lets domain users hack backup servers, patch now (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
- MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364) (source)
- Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution (source)
- Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)