cbcvebase.
CVE-2005-2611
published 2005-08-17

CVE-2005-2611: VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec for NetWare Servers 9.0 and 9.1, and NetBackup for NetWare Media Server Option 4.5…

PriorityP179critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
87.03%
99.7th percentile
VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec for NetWare Servers 9.0 and 9.1, and NetBackup for NetWare Media Server Option 4.5 through 5.1 uses a static password during authentication from the NDMP agent to the server, which allows remote attackers to read and write arbitrary files with the backup server.

Affected

57 ranges· showing 25
VendorProductVersion rangeFixed in
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec

Detection & IOCsextracted from sources · hover to see the quote

port10000
port44444
commandCONNECT_CLIENT_AUTH with opcode 0x0901
bytes
\xb4\xb8\x0f\x26\x20\x5c\x42\x34\x03\xfc\xae\xee\x8f\x91\x3d\x6f
  • Detect NDMP authentication attempts on TCP/10000 using the static hardcoded password bytes (b4 b8 0f 26 20 5c 42 34 03 fc ae ee 8f 91 3d 6f) in the CONNECT_CLIENT_AUTH packet (opcode 0x0901). The username field will contain 'root' (4 bytes, length-prefixed) immediately before the 16-byte static password.
  • Monitor for NDMP DATA_CONNECT requests (opcode 0x040a) directing the Backup Exec agent to initiate an outbound TCP connection to an attacker-controlled host and port, indicating exploitation of the file exfiltration logic flaw.
  • The exploit uses the FILESYSTEM environment variable set to a UNC-style path '\\<RHOST>\<RPATH>' in the DATA_START_BACKUP request. Inspect NDMP backup environment variables for unexpected or attacker-supplied FILESYSTEM values pointing to arbitrary paths.
  • The Backup Exec Windows Agent listens on TCP port 10000 (NDMP). Any unauthenticated or externally-sourced connection to this port should be alerted on, as the static password allows any remote attacker to authenticate.
  • The exploit uses a default listener port of 44444/tcp on the attacker side to receive the exfiltrated MTF-format backup data. Outbound connections from a Backup Exec agent host to ephemeral or unusual ports (especially 44444) may indicate active exploitation.
  • ·The static password is hardcoded in the NDMP agent and cannot be changed by configuration — all versions of the Backup Exec Windows Agent are affected regardless of deployment settings.
  • ·Exfiltrated files are delivered in MTF (Microsoft Tape Format) and require a dedicated tool (NTKBUp) to extract, which may complicate forensic triage of stolen data.
  • ·Entire directories can be exfiltrated by specifying a path with a trailing backslash, not just individual files — scope of data loss may be broader than single-file access.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.