Based on evidence of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability affecting the ZK Framework to its list of Known Exploited Vulnerabilities (KEV). ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1 are affected by the CVE-2022-36537 bug (CVSS score: 7.5), which enables threat actors to retrieve sensitive information through carefully constructed queries.
According to CISA, the ZK Framework is an open source Java framework. Many products, including but not limited to ConnectWise R1Soft Server Backup Manager, may be affected by this issue.