"Critical RCE Vulnerability Reported in ConnectWise Server Backup Solution"

ConnectWise, an IT service management software platform, has released software patches to address a critical security vulnerability in Recover and R1Soft Server Backup Manager (SBM). The vulnerability, defined as the neutralization of Special Elements in Output Used by a Downstream Component, could be exploited to result in remote code execution or the disclosure of sensitive information. According to ConnectWise's advisory, the critical flaw affects Recover v2.9.7 and earlier, as well as R1Soft SBM v6.16.3 and earlier. The root cause of the problem is an upstream authentication bypass vulnerability in the ZK open-source Ajax web application framework (CVE-2022-36537), which was first patched in May 2022. This article continues to discuss the critical RCE vulnerability found in Recover and R1Soft SBM. 

THN reports "Critical RCE Vulnerability Reported in ConnectWise Server Backup Solution"