Operational Defect Database

BugZero found this defect 800 days ago.

Veeam | kb4288

CVE-2022-26500 | CVE-2022-26501

Last update date:

3/18/2022

Affected products:

Veeam Backup & Replication

Affected releases:

10

Fixed releases:

No fixed releases provided.

Description:

Challenge

Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. Severity: Critical CVSS v3 score: 9.8

Cause

The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.

Solution

Patches are available for the following Veeam Backup & Replication versions:

More Information

These vulnerabilities were reported by Nikita Petrov (Positive Technologies).

Additional Resources / Links

Share:

BugZero® Risk Score

What's this?

Coming soon

Status

Solved

Learn More

Search:

...