From Backup to Backdoor: Exploitation of CVE-2022-36537 in R1Soft Server Backup Manager

Fox-IT describes an active, widespread exploitation campaign (starting late Nov 2022) that leverages CVE-2022-36537 in the ZK Java Framework to upload malicious JDBC drivers to ConnectWise R1Soft Server Backup Manager, which register a web shell (Godzilla-derived) at /zkau/jquery enabling command execution, lateral control of connected backup agents, and data exfiltration; the report includes IoCs (IP addresses and jar artifacts), Snort/Suricata detection rules, MITRE mappings, timelines, and observed impact (hundreds of backdoored servers, with 128 remaining as of 2023-03-03).