Security Experts:

Connect with us

Hi, what are you looking for?



R1Soft Server Backup Manager Vulnerability Exploited to Deploy Backdoor

Hackers have been exploiting a vulnerability tracked as CVE-2022-36537 to hack hundreds of R1Soft servers.

A vulnerability discovered last year in ConnectWise’s R1Soft Server Backup Manager software has been exploited to deploy backdoors on hundreds of servers. 

In late October 2022, ConnectWise informed customers that a critical vulnerability patched in Recover and R1Soft Server Backup Manager products that could allow an attacker to execute arbitrary code or directly access confidential data. 

The vendor warned at the time that the flaw was at high risk of being exploited in the wild and urged users to patch their installations as soon as possible. 

A few days later, managed endpoint detection and response (EDR) firm Huntress explained that this was actually an authentication bypass and sensitive file leak vulnerability affecting the ZK Java framework used by the R1Soft software. The flaw in ZK is tracked as CVE-2022-36537 and it was patched in May 2022.

Huntress researchers demonstrated at the time how an attacker could bypass authentication and upload a backdoored JDBC database driver to achieve arbitrary code execution, and push a piece of ransomware to all downstream endpoints managed by the software. 

The security firm warned that there had been nearly 5,000 internet-exposed R1Soft servers at the time and hackers could exploit the vulnerability to push ransomware to these systems.

During a recent incident response case, cybersecurity company Fox-IT found evidence that the R1Soft vulnerability had been exploited to gain initial access to a server. The attackers then deployed a malicious database driver that gave them backdoor access.

An analysis by Fox-IT showed that the vulnerability has been exploited in the wild since late November 2022. On January 9, Fox-IT identified 286 backdoored servers, mainly in the United States and South Korea. As of February 20, the number dropped to 146 backdoored servers.

“With the help of fingerprinting, we have identified multiple compromised hosting providers globally,” Fox-IT said in a blog post on Wednesday.

In the attacks observed by the company, the attackers exfiltrated files from compromised systems, including VPN configuration files, IT admin information, and sensitive documents.

Fox-IT has released indicators of compromise (IoCs) that can help organizations determine whether their systems have been hacked through exploitation of CVE-2022-36537.

UPDATE: Patrick Beggs, CISO at ConnectWise, provided the following statement:

“In October 2022, we identified and issued a fix to a newly identified flaw in a component of our underlying framework in ConnectWise Recover and R1Soft, following a responsible disclosure from a third party. We informed our partners of the fix and encouraged those with on-premise instances of the impacted product to install the patch as soon as possible. There was no action required for most partners with ConnectWise Recover; both the cloud and client instances of Server Backup Manager (SBM) were updated as we pushed this patch directly. R1Soft is self-managed; we encouraged these partners to apply the patch quickly. As these threat actors are targeting unpatched servers for exploitation, we continue to encourage our partners to follow industry best practices and patch immediately.

If you have a non-active security incident or a security vulnerability to report, you can do so at any time, 24/7, via the ConnectWise Trust Center. To report an active, urgent security incident, please call our Partner InfoSec Hotline at 1-888-WISE911 and a member of our InfoSec team will promptly assist you.”

Related: CISA Warns of Two Mitel Vulnerabilities Exploited in Wild

Related: Surge in ESXiArgs Ransomware Attacks as Questions Linger Over Exploited Vulnerability

Related: Fortinet Patches Critical Code Execution Vulnerabilities in FortiNAC, FortiWeb

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.