CVE-2022-36537
CVE-2022-36537 is a high-severity vulnerability in Zkoss Zk Framework with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-02-27).
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 95% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-02-27)
- EU (EUVD) id: EUVD-2022-6491
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-02-27)
- Affected product: Zkoss Zk Framework
- Published:
- Last modified:
Description
ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
CVE-2022-36537: ZK Framework AuUploader Information Disclosure
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2022-36537 |
| CVSS v3.1 | 7.5 HIGH |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| EPSS | 95.34% (0.99857 percentile) |
| Known Exploited | Yes — CISA KEV since 2023-02-27 |
| CWE | Unknown (not assigned in source data) |
Summary
Multiple versions of the ZK Java web framework ship a vulnerable AuUploader component that fails to properly restrict access to file upload metadata and response data. An unauthenticated remote attacker can send a crafted POST request to the AuUploader endpoint and retrieve sensitive information that should not be exposed, resulting in a HIGH-severity information disclosure vulnerability.
Background
ZK is an open-source Java web framework maintained by ZKoss. It is widely used in enterprise applications across Asia-Pacific and in internal business systems globally. The framework's client-side architecture relies on an asynchronous update mechanism (AU) where client widgets communicate with server-side components via endpoints such as AuUploader, which handles file uploads and related metadata exchange.
Root Cause
The root cause of this vulnerability is an access-control flaw in the AuUploader component. The endpoint accepts POST requests without verifying that the requester is authorized to access the upload context or view the response data it returns. The specific code path was addressed in upstream commit 92a29aa9b1daf1fd2d9d188cb6545f0441d54e84.
Because no CWE identifier was assigned in the source data, the most applicable weakness categories are:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor — the response leaks data to unauthenticated parties.
- CWE-862: Missing Authorization — the endpoint does not enforce access controls before returning data.
Note: The authoritative CWE was not present in the NVD record for this CVE. The classifications above are defensive interpretations based on the disclosed behavior.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N yields a base score of 7.5 (HIGH).
| Metric | Rating | Implication |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the internet |
| Attack Complexity (AC) | Low | No special conditions required |
| Privileges Required (PR) | None | No authentication needed |
| User Interaction (UI) | None | Fully automated exploitation possible |
| Scope (S) | Unchanged | Impact limited to the vulnerable component |
| Confidentiality (C) | High | Sensitive data can be disclosed |
| Integrity (I) | None | No direct data modification |
| Availability (A) | None | No denial-of-service impact |
The High Confidentiality impact is the primary concern: exposed data may include file paths, upload tokens, session-related metadata, or other internal state that aids further attack reconnaissance.
Exploitation Walkthrough (Defensive Perspective)
Ethics & Legal Notice: The following description is provided for defensive understanding only. Testing this vulnerability against systems you do not own or have explicit permission to test may violate computer fraud laws.
- Reconnaissance: The attacker identifies a publicly reachable ZK application that uses the default AU endpoint paths (commonly
/zkauor similar servlet mappings). - Crafted Request: The attacker sends a POST request to the
AuUploaderendpoint with a manipulated request body that references an upload ID or context belonging to another user or session. - Information Leakage: The server responds with metadata or file data that the attacker is not authorized to view, such as file names, paths, or internal identifiers.
- Amplification: The disclosed information may be combined with other weaknesses (e.g., path traversal or deserialization) to escalate impact.
Defensive takeaway: The exploit is fully unauthenticated and requires only network access, making it suitable for mass-scanning and automated exploitation campaigns.
Affected and Patched Versions
| Status | Versions |
|---|---|
| Affected | 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, 8.6.4.1 |
| Not Affected | ≥ 8.6.4.2 (per Maven metadata) |
The authoritative patched version is 8.6.4.2 or later. All ZK applications using an affected version should be treated as vulnerable until upgraded.
Remediation
Immediate Actions
- Upgrade to ZK Framework 8.6.4.2 or the latest stable release in your major version line (9.6.2+, 9.5.1.4+, etc.).
- Verify your dependency management files (
pom.xml,build.gradle, etc.) do not pin an affected version oforg.zkoss.zk:zk.
Compensating Controls (if patching is delayed)
- WAF Rule: Deploy a Web Application Firewall rule that restricts access to the
AuUploaderendpoint to authenticated sessions only, or blocks anomalous POST patterns that reference upload IDs outside the current session. - Network Segmentation: Ensure ZK applications are not directly exposed to the public internet unless necessary.
- Monitor Upload Endpoints: Alert on unusual volume of POST requests to AuUploader paths from unexpected source IPs.
Detection
- Network logs: Look for POST requests to
/zkau(or your configured ZK servlet path) withAuUploaderin the command data that originate from unauthenticated sessions or return unexpected data in the response. - EPSS score of 95.34% with a 99.857 percentile indicates this vulnerability is among the most actively exploited in the wild. Prioritize detection and response.
Assessment
CVE-2022-36537 is a high-priority remediation item. The combination of a 7.5 CVSS base score, an EPSS above 95%, and inclusion in the CISA Known Exploited Vulnerabilities catalog (added 2023-02-27) means active exploitation is not theoretical — it is confirmed in the wild.
Key lessons:
- Upload components are high-value targets: File upload handlers often bridge authenticated and unauthenticated code paths; they require rigorous access-control review.
- EPSS > 90% + KEV = patch immediately: When a vulnerability scores this high on both CVSS and EPSS and appears on CISA's KEV list, the window for proactive patching has closed; the only responsible action is emergency remediation.
References
- https://tracker.zkoss.org/browse/ZK-5150
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36537
- https://nvd.nist.gov/vuln/detail/CVE-2022-36537
- https://github.com/zkoss/zk/commit/92a29aa9b1daf1fd2d9d188cb6545f0441d54e84
- https://github.com/zkoss/zk
Frequently asked questions
- What is CVE-2022-36537?
- ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
- How severe is CVE-2022-36537?
- CVE-2022-36537 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2022-36537 being actively exploited?
- Yes. CVE-2022-36537 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-02-27, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-36537?
- CVE-2022-36537 affects Zkoss Zk Framework. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-36537?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-36537 have an EU (EUVD) identifier?
- Yes. CVE-2022-36537 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-6491. It is also flagged as exploited in the EUVD (since 2023-02-27).
- When was CVE-2022-36537 published?
- CVE-2022-36537 was published on 2022-08-26 and last updated on 2026-06-17.
References
- https://tracker.zkoss.org/browse/ZK-5150
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36537
Affected products (1)
- cpe:2.3:a:zkoss:zk_framework:*:*:*:*:*:*:*:*
More vulnerabilities in Zkoss Zk Framework
- CVE-2013-5966 — Medium (CVSS 4.3): Cross-site scripting (XSS) vulnerability in ZK Framework before 5.0.13 allows remote attackers to inject arbitrary web…