Challenge

Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system.

Severity: Critical
CVSS v3 score: 9.8

Cause

The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.

Solution

Patches are available for the following Veeam Backup & Replication versions:

• 11a (build 11.0.1.1261 P20220302)
• 10a (build 10.0.1.4854 P20220304)

Notes:

• The patch must be installed on the Veeam Backup & Replication server. Managed servers with Veeam Distribution Service will be updated automatically after installing the patch.
• All new deployments of Veeam Backup & Replication version 11a and 10a installed using the ISO images dated 20220302 or later are not vulnerable.
• If you are using Veeam Backup & Replication 9.5, please upgrade to a supported product version.
• Temporary mitigation of the vulnerabilities: Stop and disable the Veeam Distribution Service. The Veeam Distribution Service is installed on the Veeam Backup & Replication server and servers specified as distribution servers in Protection Groups.