BugZero | Veeam BugID kb4288 - CVE-2022-26500

OPERATIONAL DEFECT DATABASE

...

BugZero | Veeam BugID kb4288 - CVE-2022-26500 | CVE-2022-26501

Veeam - Defect ID: kb4288

CVE-2022-26500 | CVE-2022-26501

Veeam - Defect ID: kb4288

CVE-2022-26500 | CVE-2022-26501

Last updated on March 18th, 2022

BugZero Risk Score
9.7 High

Overall: 9.7

Severity: 10.0

Community: 8.3

What is the BugZero Risk Score?

Veeam Integration

Learn more about where this data comes from

Veeam Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: Issue
Status: Solved

Description

Challenge

Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. Severity: CriticalCVSS v3 score: 9.8

Cause

The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.

Solution

Patches are available for the following Veeam Backup & Replication versions:

More Information

These vulnerabilities were reported by Nikita Petrov (Positive Technologies).

Change history

No changes to display

2022-03-18 Added: 9.5, 10, 11

Top Veeam Defects

9.9Defect ID: kb4445
Restore/Failover/SureBackup of Virtual Machines running Windows 8.1/Window Server 2012 R2 (or older) triggers chkdsk if Veeam Backup Server or Mount Server is Running Windows Server 2022 (or newer)
9.8Defect ID: kb4529
OneDrive backup job fails with "Download request retry timeout exceeded"
9.8Defect ID: kb1914
“Invalid Credentials” Error Adding a Hyper-V Host Using a Local Account
9.7Defect ID: kb4648
Connection to Veeam Software Appliance Fails With: "Authentication failed: invalid credentials"
9.7Defect ID: kb4548
Agent is managed by another Veeam server

Veeam Integration

Learn more about where this data comes from

Veeam Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Veeam - Defect ID: kb4288

CVE-2022-26500 | CVE-2022-26501

Veeam - Defect ID: kb4288

CVE-2022-26500 | CVE-2022-26501

Last updated on March 18th, 2022

BugZero Risk Score9.7 High

Bug Details

Challenge

Cause

Solution

More Information

Links

Top Veeam Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
9.7 High