CVE-2021-27877
published 2021-03-01CVE-2021-27877: An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-04-28
Exploited in the wild
EPSS
64.91%
99.1th percentile
An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veritas | backup_exec | < 21.2 | 21.2 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
80000018000000010000000000000000000001080000000000000000
yara↗
regex: 'Remote Agent for NT ([0-9.]+)'
- →Probe TCP port 10000 for Veritas Backup Exec Agent banner; a response containing 'Remote Agent for NT' with a version string below 9.3 indicates a vulnerable, exploitable instance. ↗
- →Detect exploitation attempts by monitoring for the specific 28-byte hex probe packet sent over TCP to port 10000: 80000018000000010000000000000000000001080000000000000000 ↗
- →Use Shodan query 'product:"Veritas Backup Exec"' to identify internet-exposed BE Agent instances for asset enumeration and prioritized patching. ↗
- →Exploitation results in command execution as NT AUTHORITY\SYSTEM (Windows) or root (Linux); monitor for privileged process spawning from the Backup Exec Agent process following inbound connections on port 10000. ↗
- →Affected versions are 16.x, 20.x, and 21.x up to 21.2 (Remote Agent revision up to and including 9.3); version fingerprinting via the banner response can confirm exposure. ↗
- ·The SHA authentication scheme is a legacy mechanism that was not disabled in affected versions; its mere presence on the network listener is the attack surface — no credentials are required by the attacker. ↗
- ·The vulnerability is network-exploitable with no authentication (CVSS AV:N/AC:L/PR:N/UI:N), meaning any host that can reach TCP/10000 on a vulnerable BE Agent can exploit it without prior access. ↗
- ·This CVE is listed in CISA's Known Exploited Vulnerabilities catalog with a mandated remediation date of 2023-04-28, indicating confirmed in-the-wild exploitation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck8.2HIGH
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-grhg-3w4v-cp2r: An issue was discovered in Veritas Backup Exec before 21
ghsa_unreviewed·2022-05-24
CVE-2021-27877 [CRITICAL] CWE-287 GHSA-grhg-3w4v-cp2r: An issue was discovered in Veritas Backup Exec before 21
An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.
VulnCheck
Veritas Backup Exec Agent Improper Authentication Vulnerability
vulncheck·2021·CVSS 8.2
CVE-2021-27877 [HIGH] CWE-287 Veritas Backup Exec Agent Improper Authentication Vulnerability
Veritas Backup Exec Agent Improper Authentication Vulnerability
Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.
Affected: Veritas Backup Exec Agent
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.mandiant.com/resources/blog/alphv-ransomware-backup; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.at-bay.com/articles/avoslocker-adds-veritas-vulnerabilities-to-access-arsenal/; https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape; https://cloud.google.com/blog/topics/threat-intelligence/ransomware-attacks-surge-rely-
CISA
Veritas Backup Exec Agent Improper Authentication Vulnerability
cisa·2023-04-07·CVSS 9.8
CVE-2021-27877 [CRITICAL] CWE-287 Veritas Backup Exec Agent Improper Authentication Vulnerability
Vulnerability: Veritas Backup Exec Agent Improper Authentication Vulnerability
Affected: Veritas Backup Exec Agent
Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.
Required Action: Apply updates per vendor instructions.
Notes: https://www.veritas.com/support/en_US/security/VTS21-001; https://nvd.nist.gov/vuln/detail/CVE-2021-27877
Remediation Due Date: 2023-04-28
No detection rules found.
Metasploit
Veritas Backup Exec Agent Remote Code Execution
metasploit
Veritas Backup Exec Agent Remote Code Execution
Veritas Backup Exec Agent Remote Code Execution
Veritas Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them. This authentication scheme is no longer used within Backup Exec versions, but hadn't yet been disabled. An attacker could remotely exploit the SHA authentication scheme to gain unauthorized access to the BE Agent and execute an arbitrary OS command on the host with NT AUTHORITY\SYSTEM or root privileges depending on the platform. The vulnerability presents in 16.x, 20.x and 21.x versions of Backup Exec up to 21.2 (or up to and including Backup Exec Remote Agent revision 9.3)
Nuclei
Veritas Backup Exec - Broken Authentication
nuclei·CVSS 9.8
CVE-2021-27877 [CRITICAL] Veritas Backup Exec - Broken Authentication
Veritas Backup Exec - Broken Authentication
An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes- SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.
Template:
id: CVE-2021-27877
info:
name: Veritas Backup Exec - Broken Authentication
author: pussycat0x,DhiyaneshDK
severity: high
description: |
An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes- SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't y
Mandiant
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
## Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, w
Mandiant
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
Threat Intelligence
# Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
March 16, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
### Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditiza
http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.htmlhttps://www.veritas.com/content/support/en_US/security/VTS21-001#issue1http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.htmlhttps://www.veritas.com/content/support/en_US/security/VTS21-001#issue1https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27877
2021-03-01
Published
2023-04-07
Added to CISA KEV
Exploited in the wild