Security News > 2023 > February > CISA warns of hackers exploiting ZK Java Framework RCE flaw

CISA warns of hackers exploiting ZK Java Framework RCE flaw
2023-02-28 21:37

The U.S. Cybersecurity & Infrastructure Security Agency has added CVE-2022-36537 to its "Known Exploited Vulnerabilities Catalog" after threat actors began actively exploiting the remote code execution flaw in attacks.

CVE-2022-36537 is a high-severity flaw impacting the ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1, enabling attackers to access sensitive information by sending a specially crafted POST request to the AuUploader component.

"ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context," mentions CISA's description of the flaw.

ZK is an open-source Ajax Web app framework written in Java, enabling web developers to create graphical user interfaces for web applications with minimal effort and programming knowledge.

The ZK framework is widely employed in projects of all types and sizes, so the flaw's impact is widespread and far-reaching.

Notable examples of products using the ZK framework include ConnectWise Recover, version 2.9.7 and earlier, and ConnectWise R1SoftServer Backup Manager, version 6.16.3 and earlier.


News URL

https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-08-26 CVE-2022-36537 Unspecified vulnerability in Zkoss ZK Framework
ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
network
low complexity
zkoss
7.5