Critical Vulnerability in ConnectWise Recover and R1Soft Server Backup Manager

Published on 02 Nov 2022

Updated on 02 Nov 2022

ConnectWise has released security updates to address a critical remote code execution (RCE) vulnerability (CVE-2022-36537) affecting the ZK framework used in ConnectWise Recover and R1Soft Server Backup Manager (SBM) secure backup solutions.

Successful exploitation of the vulnerability could allow an attacker to perform remote code execution or directly access confidential data.

The vulnerability affects the following products:

  • ConnectWise Recover version 2.9.7 and earlier versions
  • R1Soft SBM version 6.16.3 and earlier versions

 

Affected ConnectWise Recover SBMs have automatically been updated to the latest version 2.9.9. Administrators and users of affected R1Soft SBM versions are advised to upgrade to version 6.16.4 immediately.

More information is available here:

https://www.connectwise.com/company/trust/security-bulletins/r1soft-and-recover-security-bulletin

https://www.bleepingcomputer.com/news/security/connectwise-fixes-rce-bug-exposing-thousands-of-servers-to-attacks/