Critical RCE Vulnerability Reported in ConnectWise Server Backup Solution

ConnectWise, an IT service management software platform, has published software updates to address a significant security vulnerability in Recover and R1Soft Server Backup Manager (SBM). The vulnerability, dubbed “neutralisation of Special Elements in Output Used by a Downstream Component,” might be exploited to allow remote code execution or the exposure of sensitive information.

According to ConnectWise’s advisory, the critical flaw affects Recover v2.9.7 and earlier, as well as R1Soft SBM v6.16.3 and earlier. The issue is linked to an upstream verification bypass insecurity in the ZK open source Ajax web application framework (CVE-2022-36537), which was initially patched in May 2022. Read More…