CVE-2022-36537

What is ZK Framework and ConnectWise R1Soft?

ZK Framework is an open-source Java web framework used to build enterprise web applications. Its AuUploader servlet handles file upload operations. Because ZK is embedded in numerous third-party products, vulnerabilities in ZK affect any application built on it.

ConnectWise R1Soft Server Backup Manager is a widely deployed enterprise backup solution used by managed service providers (MSPs) to back up hundreds or thousands of client servers. Its market position as MSP infrastructure makes it a particularly high-value target: compromising a single R1Soft instance can cascade into access to all of the MSP's managed customers.

Overview

CVE-2022-36537 is a path traversal / file disclosure vulnerability in the ZK Framework's AuUploader servlet. An unauthenticated remote attacker can send a crafted HTTP request to the servlet to retrieve arbitrary files from within the web application's context — including configuration files that contain credentials. The vulnerability is notable primarily for its exploitation in ConnectWise R1Soft Server Backup Manager, where Huntress researchers documented a mass exploitation campaign that used the file read capability to extract R1Soft credentials, then used those credentials to deploy backdoor JDBC database drivers and ransomware across thousands of managed servers.

Affected Versions

Technical Details

The AuUploader servlet in ZK Framework does not properly sanitize the resource path in upload requests. An attacker can include path traversal sequences (../) or absolute paths in the request to read files outside the intended upload directory — including files within the web application's classpath and configuration paths.

• Authentication required: None — the AuUploader endpoint is exposed to unauthenticated requests
• Attack complexity: Low — straightforward HTTP GET request with a manipulated path parameter
• Impact on R1Soft: R1Soft stores its JDBC credentials in configuration files accessible from the web context; reading these allows database access and modification of backup jobs
• Ransomware chain: Attackers read R1Soft credentials → accessed the JDBC API → deployed a malicious JDBC driver → the driver provided code execution → ransomware deployed to all servers managed by R1Soft

The CVSS score reflects only information disclosure (confidentiality: High, integrity: None); the actual ransomware impact emerged from the credential material obtained, not from the CVE itself.

Discovery

Huntress Labs researchers documented mass exploitation of this vulnerability in ConnectWise R1Soft Server Backup Manager in November 2022. The exploitation campaign was active before Huntress' disclosure and involved threat actors systematically scanning for exposed R1Soft instances.

Exploitation Context

Huntress observed widespread exploitation of R1Soft instances via CVE-2022-36537, with attackers:

1. Scanning for exposed R1Soft web interfaces
2. Using the ZK AuUploader path traversal to read r1soft.conf and extract database credentials
3. Connecting to the R1Soft JDBC API with the stolen credentials
4. Replacing the legitimate JDBC driver with a malicious one that executed attacker commands
5. Using the compromised R1Soft agent to push ransomware to hundreds of managed servers simultaneously

The ransomware use flag reflects this cascade: a single vulnerable R1Soft instance could result in simultaneous ransomware deployment to an entire MSP's customer base.

Remediation

1. Upgrade ZK Framework to version 9.6.2 or later in all affected applications
2. Upgrade ConnectWise R1Soft Server Backup Manager to version 6.16.4 or later
3. Restrict R1Soft web interface access to trusted IPs — it should never be exposed to the public internet
4. Audit R1Soft JDBC configurations for unauthorized driver modifications
5. Review R1Soft audit logs for unexpected file access patterns or JDBC activity from unfamiliar IPs
6. For MSPs: check all managed server endpoints for signs of ransomware deployment or unauthorized access originating from R1Soft agents