What is CVE-2022-36537 about, and why is the encryption weak in Server Backup Manager?

CVE-2022-36537 is a hardcoded symmetric key vulnerability in Server Backup Manager's `SecureZipUtils.class`. The encryption uses a weak, hardcoded 16‑byte key (`DE7E147A6F487351`) and AES algorithm with only one encryption round per file, plus the KeyStore uses a known default password `r1soft`. This flaw allows an authenticated user to decrypt sensitive configuration files, such as the user database, which contains SHA‑1‑hashed passwords that can be easily cracked. The vulnerability details are discussed in the Server Backup Manager Vulnerability Debugging Environment Setup article.