ConnectWise BCDR and R1Soft Server Backup Manager Critical Security Release
Vulnerability
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component.
Severity
Critical – Vulnerabilities that could allow the ability to execute remote code or directly access confidential data.
Priority
1 – Vulnerabilities that are either being targeted or have a higher risk of being targeted by exploits in the wild. Recommend patching as soon as possible.
Affected versions
ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted.
R1Soft: SBM v6.16.3 and earlier versions are impacted.
Remediation
ConnectWise Recover:
Affected ConnectWise Recover SBMs have automatically been updated to the latest version of Recover (v2.9.9).
R1Soft:
Upgrade the server backup manager to SBM v6.16.4 released October 28, 2022 using the R1Soft upgrade wiki.
Please refer to the release notes for more information.
Additional information
Visit home.connectwise.com/securityBulletin/635bd34f6e80800001cdcfbe