cbcvebase.
CVE-2021-27877
published 2021-03-01

CVE-2021-27877: An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-04-28
Exploited in the wild
EPSS
64.91%
99.1th percentile
An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
veritasbackup_exec< 21.221.2

Detection & IOCsextracted from sources · hover to see the quote

port10000
bytes
80000018000000010000000000000000000001080000000000000000
yara
regex: 'Remote Agent for NT ([0-9.]+)'
  • Probe TCP port 10000 for Veritas Backup Exec Agent banner; a response containing 'Remote Agent for NT' with a version string below 9.3 indicates a vulnerable, exploitable instance.
  • Detect exploitation attempts by monitoring for the specific 28-byte hex probe packet sent over TCP to port 10000: 80000018000000010000000000000000000001080000000000000000
  • Use Shodan query 'product:"Veritas Backup Exec"' to identify internet-exposed BE Agent instances for asset enumeration and prioritized patching.
  • Exploitation results in command execution as NT AUTHORITY\SYSTEM (Windows) or root (Linux); monitor for privileged process spawning from the Backup Exec Agent process following inbound connections on port 10000.
  • Affected versions are 16.x, 20.x, and 21.x up to 21.2 (Remote Agent revision up to and including 9.3); version fingerprinting via the banner response can confirm exposure.
  • ·The SHA authentication scheme is a legacy mechanism that was not disabled in affected versions; its mere presence on the network listener is the attack surface — no credentials are required by the attacker.
  • ·The vulnerability is network-exploitable with no authentication (CVSS AV:N/AC:L/PR:N/UI:N), meaning any host that can reach TCP/10000 on a vulnerable BE Agent can exploit it without prior access.
  • ·This CVE is listed in CISA's Known Exploited Vulnerabilities catalog with a mandated remediation date of 2023-04-28, indicating confirmed in-the-wild exploitation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck8.2HIGH
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.