ConnectWise, which provides IT management software for managed service providers, said it has fixed a critical-severity vulnerability that if exploited could allow a threat actor to remotely execute code or access confidential data.
The vulnerability impacts the ConnectWise Recover (v2.9.7 and earlier) backup and disaster recovery tool and the R1Soft (v6.16.3 and earlier) server backup manager tool. For R1Soft, impacted users need to upgrade to v6.16.4, while ConnectWise said that impacted ConnectWise Recover server backup managers have automatically been updated to the latest version (v2.9.9). However, in a recent analysis, Huntress researchers said a significant number of vulnerable instances remain.
“Our research identified upwards of 5,000 exposed server manager backup instances via Shodan — all of which had the potential to be exploited by threat actors, along with their registered hosts,” according to John Hammond and Caleb Stewart, security researchers with Huntress, on Monday. “Considering that Server Backup Manager SE is predominately used by Hosting and Managed Service Providers who specialize in outsourced IT services for many businesses, this vulnerability has the potential to impact significantly more than 5,000 SMBs.”
ConnectWise has recommended that impacted users patch as soon as possible and categorized the flaw as a priority one, a designation reserved for “vulnerabilities that are either being targeted or have a higher risk of being targeted by exploits in the wild.”
“It is important to note that the upstream ZK vulnerability not only affects R1Soft, but also any application utilizing an unpatched version of the ZK framework."
The issue stems from an upstream authentication bypass vulnerability in the ZK open-source Ajax web application framework (CVE-2022-36537), which was discovered by Markus Wulftange with Code White GmbH and initially patched in May 2022. Months later, in July, Florian Hauser with Code White GmbH found that the flaw is bundled with ConnectWise’s R1Soft application, meaning that certain ConnectWise products are vulnerable. Researchers with Huntress have since built on this discovery and the initial vulnerability in order to create a proof-of-concept (PoC) exploit that could be leveraged against vulnerable ConnectWise R1Soft instances to bypass authentication, gain code execution and deploy the Lockbit 3.0 ransomware.
“Huntress has reproduced this issue and furthered the proof of concept exploit, leveraging the initial vulnerability to leak server private key files, software licenses, system configuration files and ultimately gain Remote Code Execution (RCE) as the system superuser and manipulate R1Soft to push further arbitrary code execution downstream to all registered endpoints,” according to Huntress researchers in their analysis.
No evidence of exploitation in the wild has been detected thus far by Huntress or ConnectWise, and ConnectWise’s patch is effective in stopping the PoC exploit, Huntress confirmed. However, Huntress researchers said that other applications may also be impacted by the upstream ZK authentication bypass vulnerability.
“It is important to note that the upstream ZK vulnerability not only affects R1Soft, but also any application utilizing an unpatched version of the ZK framework,” according to Huntress researchers. “The access an attacker can gain by using this authentication bypass vulnerability is specific to the application being exploited, however there is serious potential for other applications to be affected in a similar way to R1Soft Server Backup Manager.”