On October 28th, 2022, ConnectWise disclosed a critical remote code execution (RCE) vulnerability affecting ConnectWise Recover (version 2.9.7 and earlier) and R1Soft Server Backup Manager (version 6.16.3 and earlier).
A threat actor could leverage an authentication bypass vulnerability in these products (CVE-2022-36537) to leak server private key files, software licenses, and system configuration files and ultimately achieve RCE as the system superuser. Additionally, threat actors may be able to manipulate the affected software to deploy malicious code for execution on associated endpoint systems.
Note: CVE-2022-36537 affects the ZK library for Java, which is used within ConnectWise Recover and the R1Soft Server Backup Manager software. A patch had been released for ZK version 9.7.2 in May 2022. More recently, security researchers have publicly disclosed methods for exploitation of this vulnerability in ConnectWise Recover/R1Soft Server Backup Manager.
The security researchers that responsibly disclosed the vulnerability published a detailed blog and proof of concept (PoC) exploit on October 31, 2022. Arctic Wolf assesses threat actors will likely begin exploiting this vulnerability within the near-term due to the publicly available PoC and the ease of exploitation. We therefore strongly recommend applying the relevant security patch to impacted devices to prevent potential exploitation.
- ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted.
- R1Soft: SBM v6.16.3 and earlier versions are impacted.
Recommendations for CVE-2022-36537
Recommendation #1: Upgrade to the latest version of ConnectWise Recover & R1Soft Server Backup Manager
If you are using ConnectWise Recover in your environment, ensure that you’ve been automatically upgraded to a version later than 2.9.7.
Please follow your organisation’s patching and testing guidelines to avoid any operational impact.
Recommendation #2: Limit public hosting of affected services
If at all possible, avoid hosting services such as ConnectWise Recover or R1Soft Server Backup Manager on publicly accessible network interfaces. This significantly reduces the likelihood that a threat actor will find and exploit vulnerabilities in your environment.