CVE-2021-27878
published 2021-03-01CVE-2021-27878: An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is…
PriorityP194high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-04-28
Exploited in the wild
EPSS
23.95%
97.6th percentile
An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The attacker could use one of these commands to execute an arbitrary command on the system using system privileges.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veritas | backup_exec | < 21.2 | 21.2 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/veritas/beagent_sha_auth_rce.rb↗
- →Monitor for exploitation of the SHA authentication scheme against Veritas Backup Exec Agent; successful auth via SHA should be treated as suspicious since this scheme is no longer used within current Backup Exec versions but was not disabled. ↗
- →Alert on arbitrary OS command execution originating from the Backup Exec Agent process running as NT AUTHORITY\SYSTEM (Windows) or root (Linux/Unix), as this is the expected post-exploitation privilege level. ↗
- →Detect use of data management protocol commands on an authenticated Backup Exec Agent connection, particularly commands that spawn child processes, as the attacker leverages these post-authentication to achieve RCE. ↗
- →Flag Veritas Backup Exec Agent versions 16.x, 20.x, and 21.x up to 21.2 (Remote Agent revision 9.3 and below) as vulnerable targets in asset inventory and network scanning. ↗
- ·The SHA authentication scheme is the vulnerable attack vector; it is no longer functionally used by current Backup Exec versions but was not disabled prior to 21.2, meaning it remains exploitable on unpatched agents even if SHA auth is not actively configured by administrators. ↗
- ·Exploitation occurs over the standard Backup Exec Agent communication channel (typically TLS), meaning malicious traffic may blend with legitimate backup traffic and evade inspection unless SHA auth handshakes are specifically monitored. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Veritas Backup Exec Agent Command Execution Vulnerability
cisa·2023-04-07·CVSS 8.8
CVE-2021-27878 [HIGH] CWE-287 Veritas Backup Exec Agent Command Execution Vulnerability
Vulnerability: Veritas Backup Exec Agent Command Execution Vulnerability
Affected: Veritas Backup Exec Agent
Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine.
Required Action: Apply updates per vendor instructions.
Notes: https://www.veritas.com/support/en_US/security/VTS21-001; https://nvd.nist.gov/vuln/detail/CVE-2021-27878
Remediation Due Date: 2023-04-28
GHSA
GHSA-6r93-82vq-9w4w: An issue was discovered in Veritas Backup Exec before 21
ghsa_unreviewed·2022-05-24
CVE-2021-27878 [HIGH] CWE-287 GHSA-6r93-82vq-9w4w: An issue was discovered in Veritas Backup Exec before 21
An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The attacker could use one of these commands to execute an arbitrary command on the system using system privileges.
VulnCheck
Veritas Backup Exec Agent Command Execution Vulnerability
vulncheck·2021·CVSS 8.8
CVE-2021-27878 [HIGH] CWE-287 Veritas Backup Exec Agent Command Execution Vulnerability
Veritas Backup Exec Agent Command Execution Vulnerability
Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine.
Affected: Veritas Backup Exec Agent
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.mandiant.com/resources/blog/alphv-ransomware-backup; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.at-bay.com/articles/avoslocker-adds-veritas-vulnerabilities-to-access-arsenal/; https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape; https://go.recordedfuture.com/hubfs/reports/cta-2024-0208.pdf; https://cloud.go
No detection rules found.
Mandiant
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
## Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, w
Mandiant
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
Threat Intelligence
# Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
March 16, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
### Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditiza
http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.htmlhttps://www.veritas.com/content/support/en_US/security/VTS21-001#issue3http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.htmlhttps://www.veritas.com/content/support/en_US/security/VTS21-001#issue3https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27878
2021-03-01
Published
2023-04-07
Added to CISA KEV
Exploited in the wild