CVE-2022-36537 – Critical RCE Vulnerability & Supply Chain Risks in ConnectWise Recover and R1Soft Server Backup Manager

Share :

On October 28th, 2022, ConnectWise disclosed a critical remote code execution (RCE) vulnerability affecting ConnectWise Recover (version 2.9.7 and earlier) and R1Soft Server Backup Manager (version 6.16.3 and earlier).

A threat actor could leverage an authentication bypass vulnerability in these products (CVE-2022-36537) to leak server private key files, software licenses, and system configuration files and ultimately achieve RCE as the system superuser. Additionally, threat actors may be able to manipulate the affected software to deploy malicious code for execution on associated endpoint systems. 

Note: CVE-2022-36537 affects the ZK library for Java, which is used within ConnectWise Recover and the R1Soft Server Backup Manager software. A patch had been released for ZK version 9.7.2 in May 2022. More recently, security researchers have publicly disclosed methods for exploitation of this vulnerability in ConnectWise Recover/R1Soft Server Backup Manager. 

The security researchers that responsibly disclosed the vulnerability published a detailed blog and proof of concept (PoC) exploit on October 31, 2022. Arctic Wolf assesses threat actors will likely begin exploiting this vulnerability within the near-term due to the publicly available PoC and the ease of exploitation. We therefore strongly recommend applying the relevant security patch to impacted devices to prevent potential exploitation. 

Affected Products:  

  • ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted. 
  • R1Soft: SBM v6.16.3 and earlier versions are impacted. 

Recommendations for CVE-2022-36537

Recommendation #1: Upgrade to the latest version of ConnectWise Recover & R1Soft Server Backup Manager 

If you are using ConnectWise Recover in your environment, ensure that you’ve been automatically upgraded to a version later than 2.9.7.  

If you are using R1Soft Server Backup Manager v6.16.3 or earlier, upgrade to version 6.16.4 as recommended by ConnectWise. For more details, see the release notes for version 6.16.4. 

Please follow your organization’s patching and testing guidelines to avoid any operational impact. 

Recommendation #2: Limit public hosting of affected services 

If at all possible, avoid hosting services such as ConnectWise Recover or R1Soft Server Backup Manager on publicly accessible network interfaces. This significantly reduces the likelihood that a threat actor will find and exploit vulnerabilities in your environment. 


Picture of Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Subscribe to our Monthly Newsletter