External risk intelligence

Veeam Backup & Replication Vulnerability Allows Code Execution

CVE advisoryKnown Exploit

CVE-2022-26500

A flaw in Veeam Backup & Replication allows authenticated users to access internal functions, enabling attackers to upload and execute arbitrary code. This poses a risk of unauthorized system control and potential business disruption. The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.

2Halo Surface Signal

Path Traversal

Veeam Backup \& Replication

10.0.0.4442 to before 10.0.1.485411.0.0.825 to before 11.0.1.12619.5.0.15369.5.4.261510.0.1.485411.0.1.1261

External exposure likelihood

Halo Surface Signal score for CVE-2022-26500

This vulnerability affects backup management software, which is typically deployed in internal, isolated network segments. While network-reachable within an environment, these systems are generally not exposed to the public internet and require internal network access to reach, making direct internet exposure uncommon in standard deployment patterns.

Horizon Alert

Summary of the vulnerability and why it matters

A flaw in Veeam Backup & Replication could allow unauthorized access to internal functions. This could enable attackers to upload and execute malicious code within an organization's systems. The impact can include unauthorized data access or modification and potential disruption of business operations.

Vulnerable backup software
Flaw allows code execution
Business operations at risk

Attack Path

How an attacker could exploit the issue

This vulnerability affects Veeam Backup & Replication software, enabling remote authenticated users to access internal API functions. Attackers can leverage this access to upload and execute arbitrary code, potentially leading to unauthorized system control. The improper limitation of path names is the core issue exploited.

Requires authenticated user access.
Attacker uploads and executes code.
Results in system control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Veeam Backup & Replication allows authenticated users to access internal API functions, potentially leading to the upload and execution of arbitrary code. This could result in unauthorized access and control over affected systems. The CISA known exploited vulnerabilities catalog lists this CVE.

Low skill level required for attackers.
Authenticated access to the system is needed.
Business risk is high.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows remote authenticated users to access internal API functions, potentially leading to the upload and execution of arbitrary code. The impact could include unauthorized access, system compromise, and data loss for affected organizations. This issue is known to be exploited in ransomware campaigns.

Find affected assets.
Reduce exposure or isolate risk.
Fix, verify, and monitor.

Frequently asked questions

What is Veeam Backup & Replication and how is it used?

Veeam Backup & Replication is software used for backing up and restoring data. It helps organizations protect their virtual, physical, and cloud-based workloads by creating copies of data that can be used to recover from data loss events.

What kind of weakness does CVE-2022-26500 represent?

CVE-2022-26500 is an "Improper limitation of path names" weakness, also known as CWE-22. This means the software did not correctly handle file or directory path information, allowing unauthorized access or manipulation.

What preconditions must be met for an attacker to exploit CVE-2022-26500?

An attacker must first have authenticated access to the Veeam Backup & Replication system. The vulnerability is not triggered by unauthenticated users. Access to internal API functions is the mechanism for exploitation.

Who should be concerned about this CVE based on its exposure?

Organizations running Veeam Backup & Replication software that is accessible internally should be concerned. While not typically internet-facing, this type of backup software often contains critical internal data, making its compromise a significant risk.

What are the first steps for managing this vulnerability in Veeam Backup & Replication?

The initial steps involve identifying all systems running the affected versions of Veeam Backup & Replication. After identification, apply any available updates or patches provided by Veeam to remediate the vulnerability.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.