CISA Alert: Veeam Backup and Replication Vulnerabilities Being Exploited in Attacks

Dec 16, 2022Ravie LakshmananBackup & Recovery / Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
has added^[1]
two vulnerabilities impacting Veeam Backup & Replication software
to its Known Exploited Vulnerabilities (KEV^[2]) Catalog, citing
evidence of active exploitation in the wild.

The now-patched critical flaws, tracked as
CVE-2022-26500 and CVE-2022-26501, are both rated
9.8 on the CVSS scoring system, and could be leveraged to gain
control of a target system.

“The Veeam Distribution Service (TCP 9380 by default) allows
unauthenticated users to access internal API functions,” Veeam
noted^[3] in an advisory published
in March 2022. “A remote attacker may send input to the internal
API which may lead to uploading and executing of malicious
code.”

Both the issues that impact product versions 9.5, 10, and 11
have been addressed in versions 10a and 11a. Users of Veeam Backup
& Replication 9.5 are advised to upgrade to a supported
version.

Nikita Petrov, a security researcher at Russian cybersecurity
firm Positive Technologies, has been credited with discovering and
reporting the weaknesses.

“We believe that these vulnerabilities will be exploited in real
attacks and will put many organizations at significant risk,”
Petrov said^[4]
on March 16, 2022. “That is why it is important to install updates
as soon as possible or at least take measures to detect abnormal
activity associated with these products.”

Details on the attacks exploiting these vulnerabilities are
unknown as yet, but cybersecurity company CloudSEK disclosed^[5]
in October that it observed multiple threat actors advertising a
“fully weaponized tool for remote code execution” that abuse the
two flaws.

Some of the possible consequences of successful exploitation are
infection with ransomware, data theft, and denial of service,
making it imperative that users apply the updates.