Cyber Resilience

CVE-2022-36537

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 26 August 2022

Published
26 August 2022
Modified
03 November 2025
KEV Added
27 February 2023
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9394 99.9th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-36537 is a high-severity an unspecified weakness vulnerability in Zkoss Zk Framework. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1 are affected by a vulnerability in the AuUploader component that allows unauthorized access to sensitive information when a crafted POST request is processed. The issue carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and no required privileges or user interaction, with the impact limited to high confidentiality loss.

Remote unauthenticated attackers can send malicious POST requests to the AuUploader endpoint and retrieve confidential data stored or processed by the framework. No authentication or user interaction is needed, enabling direct information disclosure from exposed instances.

Advisories reference ZK tracker entry ZK-5150 along with CISA alerts on active exploitation of the ZK Java framework flaw, and the CVE is listed in the CISA known exploited vulnerabilities catalog.

The associated EPSS score reached a peak of 0.9686 with a current value of 0.9394, indicating sustained high exploitation interest after disclosure.

EU & UK References

Vulnerability details

ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.

CWE(s)
KEV Date Added
27 February 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zkoss
zk framework
≤ 8.6.4.2 · 9.0.0 — 9.0.1.3 · 9.5.0 — 9.5.1.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access control decisions on the AuUploader endpoint to block unauthenticated requests that exfiltrate sensitive data.

prevent

Requires validation of the specially crafted POST request before the AuUploader component processes or discloses information.

prevent

Restricts network traffic to the vulnerable AuUploader component, limiting remote unauthenticated access from external attackers.

References