Operational Defect Database
BugZero found this defect 809 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Veeam | kb4288
CVE-2022-26500 | CVE-2022-26501
Last update date:
3/18/2022
Affected products:
Veeam Backup & Replication
Affected releases:
10
Fixed releases:
No fixed releases provided.
Description:
Challenge
Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. Severity: Critical CVSS v3 score: 9.8
Cause
The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.
Solution
Patches are available for the following Veeam Backup & Replication versions:
More Information
These vulnerabilities were reported by Nikita Petrov (Positive Technologies).
