External risk intelligence

Veeam Backup & Replication Unauthorized Access Vulnerability

CVE advisoryKnown Exploit

CVE-2022-26501

A flaw in Veeam Backup & Replication allows unauthorized access to internal functions, potentially leading to malicious code execution. This could impact system security and data integrity. The realistic business risk involves unauthorized access and compromise of backup data.

2Halo Surface Signal

Missing Authentication

Veeam Backup \& Replication

10.0.0.4442 to before 10.0.1.485411.0.0.825 to before 11.0.1.126110.0.1.485411.0.1.1261

External exposure likelihood

Halo Surface Signal score for CVE-2022-26501

Veeam Backup & Replication is primarily designed for internal infrastructure and data protection management. While it uses network services, it is typically deployed within protected internal networks and is not intended for direct exposure to the public internet in standard deployment patterns.

Horizon Alert

Summary of the vulnerability and why it matters

Veeam Backup & Replication software contains an access control flaw within its distribution service. This weakness allows unauthenticated users to access internal API functions. The main business impact can involve unauthorized code execution, potentially compromising data integrity and system security.

Vulnerable component: Veeam Backup & Replication
Core weakness: Incorrect access control
Main business impact: Unauthorized code execution

Attack Path

How an attacker could exploit the issue

This vulnerability allows unauthenticated attackers to access internal API functions. Attackers can send specific input to the API, enabling the upload and execution of malicious code on affected systems. This could lead to unauthorized access, data compromise, or disruption of backup and replication services.

Network exposure of Veeam service.
Attacker sends input to API.
Malicious code uploaded and executed.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow attackers to gain unauthorized access to sensitive data and execute malicious code on affected systems. The potential for widespread impact and the ease with which it can be exploited suggest a significant risk to organizations. Due to the critical nature and known exploitation, this issue demands immediate attention.

Likely attacker skill level: Low
Required access or conditions: None
Business risk or urgency: Critical

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Veeam Backup & Replication could allow unauthorized access to internal functions, potentially leading to the execution of malicious code. Organizations should prioritize understanding their exposure to this risk. The immediate focus should be on identifying all instances of the affected software within the environment, implementing measures to limit its exposure, applying the vendor-provided fix, and verifying that the solution has been successfully implemented. Ongoing monitoring for any related security incidents is also recommended.

Find affected assets.
Reduce exposure or isolate risk.
Fix, verify, and monitor.

Frequently asked questions

What is Veeam Backup & Replication?

Veeam Backup & Replication is a software solution used for backing up and restoring data and virtual machines. It helps organizations protect their data by creating copies that can be used to recover systems in case of data loss or system failures. This software is crucial for business continuity and disaster recovery planning.

What is CVE-2022-26501's weakness class?

CVE-2022-26501 is classified as an Incorrect Access Control vulnerability, specifically CWE-306. This means the software did not properly enforce restrictions on who could access certain functions or data, allowing unauthorized actions.

How can an attacker exploit this Veeam vulnerability?

An attacker can exploit this vulnerability by sending specially crafted input to the Veeam distribution service's internal API. This is possible without any authentication, potentially allowing the attacker to upload and execute malicious code on the affected system.

Who should care about the Veeam Backup & Replication vulnerability?

Organizations using Veeam Backup & Replication should care about this vulnerability, especially if the software is accessible from the internet. While typically used internally, any exposure, even if unlikely, presents a risk that needs attention to protect sensitive data and systems.

What are the first steps for running Veeam Backup & Replication?

If you are running Veeam Backup & Replication, the first steps are to identify all instances of the affected software, take measures to reduce or isolate its network exposure if possible, and then apply the fix provided by Veeam. Verifying the successful implementation of the fix and continuing to monitor for any unusual activity is also recommended.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.