Skip to the content.

DIVD-2022-00058 - ZK Framework - ZK AuUploader Servlet Upload Vulnerability

Our reference DIVD-2022-00058
Case lead Ralph Horn & Lennaert Oudshoorn
Author Axel Boesenach
Researcher(s)
CVE(s)
Product ZK Framework
Versions ZK 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1
Recommendation Apply the security patch provided by ZK (9.6.2) https://www.zkoss.org/product/zk/releasenote/9.6.2
Workaround Add custom classes in their declared package as described by ZK in https://tracker.zkoss.org/browse/ZK-5150
Status Open
Last modified 10 May 2023 21:16

Summary

In may 2022 a file upload vulnerability was found by Markus Wulftange in the ZK AuUploader servlets for which a security patch was released by ZK. At the time of this release there was no public exploitation script available to abuse the vulnerability. It wasn’t until the October 2022 blogpost of Huntress that demonstrated the exploitation of the R1Soft Server Backup Manager which uses the ZK framework. At the time of the Huntress blogpost there were no indications of this vulnerability being exploited in the wild until March of 2023 when Fox-IT encountered active exploitation of this software during an incident response engagement.

Because ZK is a framework which can be incorporated in other software applications we can identify whether a service is vulnerable, but we’re unable to identify the exact part that is vulnerable within this software application.

What you can do

When you receive an e-mail notifying a device within your network being vulnerable to this attack it is advised to check which software is running on this device.

If the device is indeed running an instance of the R1Soft Server Backup Manager software it is important to patch this device as soon as possible due to the active exploitation of the vulnerable instance running this software. Please refer to the ConnectWise security advisory.

If the device is not running the R1Soft Server Backup manager software we’d like to know which software is running on the device so we can provide the necessary steps needed to patch the device if the vendor has created a patch for the involved software, or report it to said vendor if there’s no patch available yet.

What we are doing

We are actively scanning the internet for vulnerable ZK instances that do not have the mitigations applied and will notify system owners via the listed abuse contacts.

Timeline

Date Description
30 Oct 2022 DIVD takes notice of ConnectWise vulnerability
31 Oct 2022 Huntress discloses CVE-2022-36537
01 Nov 2022 DIVD merges ConnectWise efforts with ZK Upload case
01 Nov 2022 Huntress involved in case
07 Nov 2022 DIVD starts researching non-intrusive fingerprint
21 Jan 2022 DIVD finds out versions are backported
22 Feb 2023 Fox-IT encounters active exploitation of R1Soft Server Backup Manager
27 Mar 2023 DIVD identifies vulnerable parties
10 Apr 2023 DIVD notifies vulnerable parties
07 May 2023 DIVD conducts new scan
07 May 2023 DIVD notifies vulnerable parties
gantt title DIVD-2022-00058 - ZK Framework - ZK AuUploader Servlet Upload Vulnerability dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00058 - ZK Framework - ZK AuUploader Servlet Upload Vulnerability (still open) :2022-10-30, 2024-03-04 section Events DIVD takes notice of ConnectWise vulnerability : milestone, 2022-10-30, 0d Huntress discloses CVE-2022-36537 : milestone, 2022-10-31, 0d DIVD merges ConnectWise efforts with ZK Upload case : milestone, 2022-11-01, 0d Huntress involved in case : milestone, 2022-11-01, 0d DIVD starts researching non-intrusive fingerprint : milestone, 2022-11-07, 0d DIVD finds out versions are backported : milestone, 2022-01-21, 0d Fox-IT encounters active exploitation of R1Soft Server Backup Manager : milestone, 2023-02-22, 0d DIVD identifies vulnerable parties : milestone, 2023-03-27, 0d DIVD notifies vulnerable parties : milestone, 2023-04-10, 0d DIVD conducts new scan : milestone, 2023-05-07, 0d DIVD notifies vulnerable parties : milestone, 2023-05-07, 0d

More information