CVE-2022-36537

HIGH KEV RANSOMWARE NUCLEI

ZK Framework <9.6.1 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-36537 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 27, 2023, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including Malwareman007, agnihackers, ethan-repo-lab4b6. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-36537, targeting ZK framework authentication bypass and ConnectWise r1Soft Server Backup Manager RCE. The exploit includes authentication bypass techniques, file reading capabilities, and a JDBC backdoor deployment mechanism.

Description

ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.

Exploits (3)

nomisec WORKING POC 36 stars
by Malwareman007 · remote
https://github.com/Malwareman007/CVE-2022-36537

This repository contains a functional exploit for CVE-2022-36537, targeting ZK framework authentication bypass and ConnectWise r1Soft Server Backup Manager RCE. The exploit includes authentication bypass techniques, file reading capabilities, and a JDBC backdoor deployment mechanism.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ZK Framework, ConnectWise r1Soft Server Backup Manager
No auth needed
Prerequisites: Target URL · Java environment for JDBC backdoor compilation
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 10 stars
by agnihackers · remote
https://github.com/agnihackers/CVE-2022-36537-EXPLOIT

This repository contains a functional exploit for CVE-2022-36537, targeting ZK framework authentication bypass and ConnectWise r1Soft Server Backup Manager RCE. The exploit includes methods for authentication bypass, file reading, and deploying a JDBC backdoor for remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ZK framework, ConnectWise r1Soft Server Backup Manager
No auth needed
Prerequisites: Target server running vulnerable ZK framework or ConnectWise r1Soft Server Backup Manager · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by ethan-repo-lab4b6 · remote
https://github.com/ethan-repo-lab4b6/CVE-2022-36537

This repository contains a functional exploit for CVE-2022-36537, targeting the ZK framework authentication bypass and ConnectWise r1Soft Server Backup Manager for remote code execution. The exploit includes methods for authentication bypass, file reading, and deploying a malicious JDBC driver for RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ConnectWise r1Soft Server Backup Manager, ZK Framework
No auth needed
Prerequisites: Target URL · Java environment for compiling JDBC backdoor · mysql-connector-java-5.1.48.jar
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

ZK Framework - Information Disclosure
HIGHVERIFIEDby theamanrawat
Shodan: http.title:"Server backup manager" || http.title:"server backup manager"
FOFA: title="server backup manager"

References (3)

Core 3

Scores

CVSS v3 7.5
EPSS 0.9394
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Details

CISA KEV 2023-02-27
VulnCheck KEV 2023-02-14
InTheWild.io 2023-02-27
ENISA EUVD EUVD-2022-6491
Ransomware Use Confirmed
Status published
Products (2)
org.zkoss.zk/zk 0 - 8.6.4.2Maven
zkoss/zk_framework < 8.6.4.2
Published Aug 26, 2022
KEV Added Feb 27, 2023
Tracked Since Feb 18, 2026