BugZero found this defect 809 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
3/18/2022
Veeam Backup & Replication
10
No fixed releases provided.
Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. Severity: Critical CVSS v3 score: 9.8
The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.
Patches are available for the following Veeam Backup & Replication versions:
These vulnerabilities were reported by Nikita Petrov (Positive Technologies).