CVE-2022-36537

CVSS 7.5 HIGHEPSS 95.3%● KEV

Vexday Risk Score

100Fix now

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 7.5EPSS 95.3%KEV simPoC públicaNuclei simMetasploit —Patch —

Lifecycle

26 Aug 2022Published on NVD

09 Dec 2022Public PoC

27 Feb 2023Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

ZK Framework has a flaw in the AuUploader component that allows attackers to access sensitive information by sending specially crafted POST requests. This exposes data that should be protected.

Technical detail

The AuUploader component in ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1 fails to properly validate or restrict access to sensitive data when processing POST requests. An unauthenticated attacker can exploit this by crafting malicious requests to the component, resulting in information disclosure without requiring prior authentication or special privileges.

Summary generated and translated by AI from the official description.

ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

n/a · n/a

public PoCs found — 3

githubgithub.com/Malwareman007/CVE-2022-36537★ 36 githubgithub.com/agnihackers/CVE-2022-36537-EXPLOIT★ 9 githubgithub.com/ethan-repo-lab4b6/CVE-2022-36537★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://tracker.zkoss.org/browse/ZK-5150 https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36537