Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system.

Severity: Critical
CVSS v3 score: 9.8


The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.


Patches are available for the following Veeam Backup & Replication versions:


  • The patch must be installed on the Veeam Backup & Replication server. Managed servers with Veeam Distribution Service will be updated automatically after installing the patch.
  • All new deployments of Veeam Backup & Replication version 11a and 10a installed using the ISO images dated 20220302 or later are not vulnerable.
  • If you are using Veeam Backup & Replication 9.5, please upgrade to a supported product version.
  • Temporary mitigation of the vulnerabilities: Stop and disable the Veeam Distribution Service. The Veeam Distribution Service is installed on the Veeam Backup & Replication server and servers specified as distribution servers in Protection Groups.

Commenti non abilitati