Security News > 2023 > February > CISA warns of hackers exploiting ZK Java Framework RCE flaw
The U.S. Cybersecurity & Infrastructure Security Agency has added CVE-2022-36537 to its "Known Exploited Vulnerabilities Catalog" after threat actors began actively exploiting the remote code execution flaw in attacks.
CVE-2022-36537 is a high-severity flaw impacting the ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1, enabling attackers to access sensitive information by sending a specially crafted POST request to the AuUploader component.
"ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context," mentions CISA's description of the flaw.
ZK is an open-source Ajax Web app framework written in Java, enabling web developers to create graphical user interfaces for web applications with minimal effort and programming knowledge.
The ZK framework is widely employed in projects of all types and sizes, so the flaw's impact is widespread and far-reaching.
Notable examples of products using the ZK framework include ConnectWise Recover, version 2.9.7 and earlier, and ConnectWise R1SoftServer Backup Manager, version 6.16.3 and earlier.
News URL
Related news
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- CISA: Hackers still exploiting older Ivanti bugs to breach networks (source)
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- Hackers Exploited Krpano Framework Flaw to Inject Spam Ads on 350+ Websites (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-08-26 | CVE-2022-36537 | Unspecified vulnerability in Zkoss ZK Framework ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader. | 7.5 |