Security
Headlines
HeadlinesLatestCVEs

Headline

Critical RCE Vulnerability Reported in ConnectWise Server Backup Solution

IT service management software platform ConnectWise has released Software patches for a critical security vulnerability in Recover and R1Soft Server Backup Manager (SBM). The issue, characterized as a “neutralization of Special Elements in Output Used by a Downstream Component,” could be abused to result in the execution of remote code or disclosure of sensitive information. ConnectWise’s

The Hacker News
#vulnerability#web#rce#auth#The Hacker News

IT service management software platform ConnectWise has released Software patches for a critical security vulnerability in Recover and R1Soft Server Backup Manager (SBM).

The issue, characterized as a “neutralization of Special Elements in Output Used by a Downstream Component,” could be abused to result in the execution of remote code or disclosure of sensitive information.

ConnectWise’s advisory notes that the flaw affects Recover v2.9.7 and earlier, as well as R1Soft SBM v6.16.3 and earlier, are impacted by the critical flaw.

At its core, the issue is tied to an upstream authentication bypass vulnerability in the ZK open source Ajax web application framework (CVE-2022-36537), which was initially patched in May 2022.

“Affected ConnectWise Recover SBMs have automatically been updated to the latest version of Recover (v2.9.9),” the company said, urging customers to upgrade to SBM v6.16.4 shipped on October 28, 2022.

Cybersecurity firm Huntress said it identified “upwards of 5,000 exposed server manager backup instances,” potentially exposing companies to supply chain risks.

While there is no evidence of active exploitation of the vulnerability in the wild, a proof-of-concept devised by Huntress researchers John Hammond and Caleb Stewart shows that it can be abused to bypass authentication, gain remote code execution on SBM, and push LockBit 3.0 ransomware to all downstream endpoints.

“It is important to note that the upstream ZK vulnerability not only affects R1Soft, but also any application utilizing an unpatched version of the ZK framework,” the researchers said.

“The access an attacker can gain by using this authentication bypass vulnerability is specific to the application being exploited, however there is serious potential for other applications to be affected in a similar way to R1Soft Server Backup Manager.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related news

Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware

Serious sanctions and legal consequences may be slowing ransomware groups down, but it's still unclear if this is a permanent shift.

CISA: ZK Java Framework RCE Flaw Under Active Exploit

The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately.

CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive

Patch Now: Dangerous RCE Bug Lays Open ConnectWise Server Backup Managers

A critical security vulnerability gives attackers a way to compromise thousands of systems at ConnectWise's managed service provider (MSP) customer locations and their downstream clients.

CVE-2022-36537: [ZK-5150] Vulnerability in zk upload

ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.