cbcvebase.
CVE-2022-36537
published 2022-08-26

CVE-2022-36537: ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component…

PriorityP193high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-03-20
Exploited in the wild
EPSS
95.34%
99.9th percentile
ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.

Affected

4 ranges
VendorProductVersion rangeFixed in
zkosszk_framework< 8.6.4.28.6.4.2
zkosszk_framework>= 9.0.0 < 9.0.1.39.0.1.3
zkosszk_framework>= 9.5.0 < 9.5.1.39.5.1.3
zkosszk_framework>= 9.6.0 < 9.6.29.6.2

Detection & IOCsextracted from sources · hover to see the quote

url/zkau/upload?uuid=101010&dtid={{dtid}}&sid=0&maxsize=-1
path/WEB-INF/web.xml
path/WEB-INF/web.xml
path/login.zul
path/zkau/upload
hash9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
hash00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
hashe4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
hashde3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423
hashe12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
  • Use Shodan/FOFA queries to identify exposed R1Soft Server Backup Manager instances that may be vulnerable: http.title:"Server backup manager" or title="server backup manager"
  • The exploit chain requires only POST requests; monitor for sequences of unauthenticated POST requests to ZK framework endpoints that simulate widget/page interactions (swinging between widget identifiers) without a prior authenticated session
  • ZK Framework AuUploader exploitation can be used to retrieve files in the web context; monitor for access to sensitive paths like zk.xml in addition to /WEB-INF/web.xml
  • ·The Nuclei template extracts a dynamic 'dtid' token from the /login.zul page and uses it in the subsequent POST to /zkau/upload; detection rules must account for this dynamic parameter rather than a static URL
  • ·The vulnerability requires maxsize=-1 in the upload request query string as part of the crafted POST; this unusual negative value can serve as a detection signal
  • ·ConnectWise Recover SBMs were automatically updated to v2.9.9, but R1Soft instances require a manual upgrade to SBM v6.16.4; unpatched R1Soft instances remain exploitable
  • ·The ZK Framework vulnerability affects versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1; patched in ZK version 9.7.2

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.