CVE-2022-36537
published 2022-08-26CVE-2022-36537: ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component…
PriorityP193high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-03-20
Exploited in the wild
EPSS
95.34%
99.9th percentile
ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zkoss | zk_framework | < 8.6.4.2 | 8.6.4.2 |
| zkoss | zk_framework | >= 9.0.0 < 9.0.1.3 | 9.0.1.3 |
| zkoss | zk_framework | >= 9.5.0 < 9.5.1.3 | 9.5.1.3 |
| zkoss | zk_framework | >= 9.6.0 < 9.6.2 | 9.6.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/zkau/upload?uuid=101010&dtid={{dtid}}&sid=0&maxsize=-1
path/WEB-INF/web.xml
path/login.zul
path/zkau/upload
- →Use Shodan/FOFA queries to identify exposed R1Soft Server Backup Manager instances that may be vulnerable: http.title:"Server backup manager" or title="server backup manager"
- →The exploit chain requires only POST requests; monitor for sequences of unauthenticated POST requests to ZK framework endpoints that simulate widget/page interactions (swinging between widget identifiers) without a prior authenticated session ↗
- →ZK Framework AuUploader exploitation can be used to retrieve files in the web context; monitor for access to sensitive paths like zk.xml in addition to /WEB-INF/web.xml ↗
- ·The Nuclei template extracts a dynamic 'dtid' token from the /login.zul page and uses it in the subsequent POST to /zkau/upload; detection rules must account for this dynamic parameter rather than a static URL
- ·The vulnerability requires maxsize=-1 in the upload request query string as part of the crafted POST; this unusual negative value can serve as a detection signal
- ·ConnectWise Recover SBMs were automatically updated to v2.9.9, but R1Soft instances require a manual upgrade to SBM v6.16.4; unpatched R1Soft instances remain exploitable ↗
- ·The ZK Framework vulnerability affects versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1; patched in ZK version 9.7.2 ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ZK Framework vulnerable to malicious POST
osv·2022-08-27
CVE-2022-36537 [HIGH] ZK Framework vulnerable to malicious POST
ZK Framework vulnerable to malicious POST
ZK Framework version 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
GHSA
ZK Framework vulnerable to malicious POST
ghsa·2022-08-27
CVE-2022-36537 [HIGH] CWE-200 ZK Framework vulnerable to malicious POST
ZK Framework vulnerable to malicious POST
ZK Framework version 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
VulnCheck
ZK Framework AuUploader Unspecified Vulnerability
vulncheck·2022·CVSS 7.5
CVE-2022-36537 [HIGH] CWE-441 ZK Framework AuUploader Unspecified Vulnerability
ZK Framework AuUploader Unspecified Vulnerability
ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context. The ZK Framework is an open-source Java framework. This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager.
Affected: ZK Framework AuUploader
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://info.securin.io/hubfs/Securin%20Ransomware%20Report%202023.pdf; https://blog.fox-it.com/2023/02/22/from-backup-to-backdoor-exploitation-of-cve-2022-36537-in-r1soft-server-backup-manager/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vu
CISA
ZK Framework AuUploader Unspecified Vulnerability
cisa·2023-02-27·CVSS 7.5
CVE-2022-36537 [HIGH] CWE-441 ZK Framework AuUploader Unspecified Vulnerability
Vulnerability: ZK Framework AuUploader Unspecified Vulnerability
Affected: ZK Framework AuUploader
ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context. The ZK Framework is an open-source Java framework. This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager.
Required Action: Apply updates per vendor instructions.
Notes: https://tracker.zkoss.org/browse/ZK-5150; https://nvd.nist.gov/vuln/detail/CVE-2022-36537
Remediation Due Date: 2023-03-20
No detection rules found.
Nuclei
ZK Framework - Information Disclosure
nuclei·CVSS 7.5
CVE-2022-36537 [HIGH] ZK Framework - Information Disclosure
ZK Framework - Information Disclosure
ZK Framework 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 is susceptible to information disclosure. An attacker can access sensitive information via a crafted POST request to the component AuUploader and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2022-36537
info:
name: ZK Framework - Information Disclosure
author: theamanrawat
severity: high
description: |
ZK Framework 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 is susceptible to information disclosure. An attacker can access sensitive information via a crafted POST request to the component AuUploader and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
## Table of Contents
Who is LockBit? How it Evolved and Operates
Monero: The Coin of the Realm
Patch or Mitigate Now: Critical CVEs Exploited by LockBit
Beyond Traditional Endpoints: Other Compromised Systems
Initial Access and Deployment
Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will leverage
Fortinet
Meet LockBit: The Most Prevalent Ransomware in 2022 | FortiGuard Labs
blogs_fortinet·2023-07-10
Meet LockBit: The Most Prevalent Ransomware in 2022 | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Meet LockBit: The Most Prevalent Ransomware in 2022
By Shunichi Imano and James Slaughter | July 10, 2023
Affected platforms: Microsoft Windows, Linux, ESXi, MacOS
Impacted parties: Microsoft Windows, Linux, ESXi, and MacOS Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption and not to leak stolen files
Severity level: High
On June 14th, 2023, the CISA, FBI, MS-ISAC, and multiple international cyber security organizations released a joint advisory for the LockBit ransomware. This ransomware group has been active since early 2020, targeting organizations across numerous industries, including energy and government sectors. According to the advisory, LockBit was the most active ransomware in 2022.
This blog provides
Checkpoint
6th March – Threat Intelligence Report
blogs_checkpoint·2023-03-06
CVE-2023-0669 6th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 6th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 6th March, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
The American fast food chain Chick-fil-A has released an announcement revealing a credential stuffing attack occurred on their website and mobile app. The attack exposed over 71K customers’ accounts data, including names, email addresses, mobile payment numbers and masked credit or debit card numbers, and threat actors may have u
Talos
Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware
blogs_talos·2023-03-02
Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware
Welcome to this week’s edition of the Threat Source newsletter.
For years, we as a cybersecurity community have been discussing ways we can fight the global ransomware problem. This included things like pushing for more sanctions against international ransomware groups, new laws from federal governments and decreased access to virtual currency often used by actors to stay undetected.
Now, here’s the crazy thing: It might be working.
As Talos discussed in our Year in Review report, ransomware engagements made up a smaller portion of Cisco Talos Incident Response’s engagements in 2022 compared to the previous year, and there’s been a greater democratization of ransomware families, meaning they’re less siloed and more focused into a few larger groups.
A study from blockchain analysis grou
Talos
Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware
blogs_talos·2023-03-02
Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware
## Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware
Welcome to this week’s edition of the Threat Source newsletter.
For years, we as a cybersecurity community have been discussing ways we can fight the global ransomware problem. This included things like pushing for more sanctions against international ransomware groups, new laws from federal governments and decreased access to virtual currency often used by actors to stay undetected.
Now, here’s the crazy thing: It might be working.
As Talos discussed in our Year in Review report , ransomware engagements made up a smaller portion of Cisco Talos Incident Response’s engagements in 2022 compared to the previous year, and there’s been a greater democratization of ransomware families, meaning they
Huntress
ConnectWise/R1Soft Server Backup Manager Remote Code Execution & Supply Chain Risks | Huntress
blogs_huntress·2022-10-31·CVSS 7.5
CVE-2022-36537 [HIGH] ConnectWise/R1Soft Server Backup Manager Remote Code Execution & Supply Chain Risks | Huntress
UPDATE 2/27/23 : As recently spotted by Fox-IT and subsequently reported in SecurityWeek , a critical vulnerability discovered last year in ConnectWise’s R1Soft Server Backup Manager software has now been seen exploited in the wild to deploy backdoors on hundreds of servers via CVE-2022-36537 . The article below was originally published in late October by Senior Security Researchers John Hammond and Caleb Stewart detailing the ways in which this vulnerability could be exploited, and it has been confirmed this method is now being utilized by threat actors .
Community education and outreach are critical to driving awareness of these situations and avoiding damage by offering expert, data-driven insights for remediation. It's both a privilege and a responsibility to partner with the broader
Huntress
ConnectWise/R1Soft Server Backup Manager Remote Code Execution & Supply Chain Risks | Huntress
blogs_huntress·CVSS 7.5
CVE-2022-36537 [HIGH] ConnectWise/R1Soft Server Backup Manager Remote Code Execution & Supply Chain Risks | Huntress
UPDATE 2/27/23: As recently spotted by Fox-IT and subsequently reported in SecurityWeek, a critical vulnerability discovered last year in ConnectWise’s R1Soft Server Backup Manager software has now been seen exploited in the wild to deploy backdoors on hundreds of servers via CVE-2022-36537. The article below was originally published in late October by Senior Security Researchers John Hammond and Caleb Stewart detailing the ways in which this vulnerability could be exploited, and it has been confirmed this method is now being utilized by threat actors.
Community education and outreach are critical to driving awareness of these situations and avoiding damage by offering expert, data-driven insights for remediation. It's both a privilege and a responsibility to partner with the broader secu
https://tracker.zkoss.org/browse/ZK-5150https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/https://tracker.zkoss.org/browse/ZK-5150https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36537
2022-08-26
Published
2023-02-27
Added to CISA KEV
Exploited in the wild