...
BugZero found this defect 942 days ago.
Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. Severity: CriticalCVSS v3 score: 9.8
The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.
Patches are available for the following Veeam Backup & Replication versions:
These vulnerabilities were reported by Nikita Petrov (Positive Technologies).