CVE-2022-26500
published 2022-03-17CVE-2022-26500: Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions…
PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2023-01-03
Exploited in the wild
EPSS
5.94%
92.4th percentile
Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veeam | veeam_backup_replication | — | — |
| veeam | veeam_backup_replication | — | — |
| veeam | veeam_backup_replication | — | — |
| veeam | veeam_backup_replication | — | — |
| veeam | veeam_backup_replication | >= 10.0.0.4442 < 10.0.1.4854 | 10.0.1.4854 |
| veeam | veeam_backup_replication | >= 11.0.0.825 < 11.0.1.1261 | 11.0.1.1261 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is exploited via the Veeam Distribution Service, which allows unauthenticated users to access internal API functions — monitor for unexpected or unauthenticated requests to the Veeam Distribution Service API endpoint. ↗
- →The attack vector involves improper limitation of path names to reach internal API functions — monitor for path traversal patterns in requests to Veeam Backup & Replication services. ↗
- →Post-exploitation activity includes uploading and executing arbitrary/malicious code — monitor Veeam Backup & Replication hosts for unexpected new executable files or process spawning from Veeam service processes. ↗
- ·Affected versions are Veeam Backup & Replication 9.5U3, 9.5U4, 10.x, and 11.x — detections should be scoped to these versions; patched instances per KB4288 are not vulnerable. ↗
- ·The NVD description states exploitation requires remote authenticated users, while CISA's description states unauthenticated access is possible — detection logic should account for both authenticated and unauthenticated attack scenarios against the Veeam Distribution Service. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2vw2-587w-g9v6: Improper limitation of path names in Veeam Backup & Replication 9
ghsa_unreviewed·2022-03-18
CVE-2022-26500 [HIGH] CWE-22 GHSA-2vw2-587w-g9v6: Improper limitation of path names in Veeam Backup & Replication 9
Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.
VulnCheck
Veeam Backup & Replication Remote Code Execution Vulnerability
vulncheck·2022·CVSS 8.8
CVE-2022-26500 [HIGH] CWE-22 Veeam Backup & Replication Remote Code Execution Vulnerability
Veeam Backup & Replication Remote Code Execution Vulnerability
The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may lead to uploading and executing of malicious code.
Affected: Veeam Backup & Replication
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication/; https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://securelist.com/cuba-ransomware/110533/; https:/
CISA
Veeam Backup & Replication Remote Code Execution Vulnerability
cisa·2022-12-13·CVSS 8.8
CVE-2022-26500 [HIGH] CWE-22 Veeam Backup & Replication Remote Code Execution Vulnerability
Vulnerability: Veeam Backup & Replication Remote Code Execution Vulnerability
Affected: Veeam Backup & Replication
The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may lead to uploading and executing of malicious code.
Required Action: Apply updates per vendor instructions.
Notes: https://www.veeam.com/kb4288; https://nvd.nist.gov/vuln/detail/CVE-2022-26500
Remediation Due Date: 2023-01-03
No detection rules found.
No public exploits indexed.
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations | Qualys
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations | Qualys
#### Table of Contents
- Who is LockBit? How it Evolved and Operates
- Monero: The Coin of the Realm
- Patch or Mitigate Now: Critical CVEs Exploited by LockBit
- Beyond Traditional Endpoints: Other Compromised Systems
- Initial Access and Deployment
- Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
## Table of Contents
Who is LockBit? How it Evolved and Operates
Monero: The Coin of the Realm
Patch or Mitigate Now: Critical CVEs Exploited by LockBit
Beyond Traditional Endpoints: Other Compromised Systems
Initial Access and Deployment
Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will leverage
Securelist
From Caribbean shores to your devices: analyzing Cuba ransomware
blogs_securelist·2023-09-11
From Caribbean shores to your devices: analyzing Cuba ransomware
Table of Contents
Introduction
Cuba ransomware gang
Victimology
Ransomware
Cuba extortion model
Arsenal
Profits
Investigation of a Cuba-related incident and analysis of the malware
Host: SRV_STORAGE
Bughatch
SRV_Service host
Veeamp
Avast Anti-Rootkit driver
Burntcigar
SRV_MAIL host (Exchange server)
SqlDbAdmin
Cobalt Strike
New malware
BYOVD (Bring Your Own Vulnerable Driver)
Conclusion
Appendix
Authors
Alexander Kirichenko
Gleb Ivanov
## Introduction
Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope th
Securelist
Analysis of Cuba ransomware gang activity and tooling
blogs_securelist·2023-09-11
Analysis of Cuba ransomware gang activity and tooling
Table of Contents
- Introduction
- Cuba ransomware gang
- Victimology
- Ransomware
- Cuba extortion model
- Arsenal
- Profits
- Investigation of a Cuba-related incident and analysis of the malware
- New malware
- BYOVD (Bring Your Own Vulnerable Driver)
- Conclusion
- Appendix
Authors
- Alexander Kirichenko
- Gleb Ivanov
## Introduction
Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope this article will help you to stay one step ahead of threats like this one.
## Cuba ransomware gang
Cuba data leak site
The group’s offe
Talos
Threat Source newsletter (Dec. 15, 2022): Talos Year in Review is here
blogs_talos·2022-12-15
Threat Source newsletter (Dec. 15, 2022): Talos Year in Review is here
Welcome to this week’s edition of the Threat Source newsletter.
It’s the most wonderful time of the year, and I’m not talking about the holidays. The inaugural 2022 Talos Year in Review is here! And it’s taking over the final Threat Source newsletter of the year. Oh and did we mention we’re on Mastodon now? Talos, the gift that keeps on giving.
## The one big thing
The 2022 Talos Year in Review is officially launched and with it a compressive story of our work in the past year relying on a wide variety of data and expertise. We expect this data-driven story will shed some insight into Cisco’s and the security community’s most notable successes and remaining challenges. In addition, as these Year in Review reports continue in the future, we aim to provide data and narratives that help ex
Talos
Threat Source newsletter (Dec. 15, 2022): Talos Year in Review is here
blogs_talos·2022-12-15
Threat Source newsletter (Dec. 15, 2022): Talos Year in Review is here
## Threat Source newsletter (Dec. 15, 2022): Talos Year in Review is here
Welcome to this week’s edition of the Threat Source newsletter.
It’s the most wonderful time of the year, and I’m not talking about the holidays. The inaugural 2022 Talos Year in Review is here! And it’s taking over the final Threat Source newsletter of the year. Oh and did we mention we’re on Mastodon now? Talos, the gift that keeps on giving.
## The one big thing
The 2022 Talos Year in Review is officially launched and with it a compressive story of our work in the past year relying on a wide variety of data and expertise. We expect this data-driven story will shed some insight into Cisco’s and the security community’s most notable successes and remaining challenges. In addition, as these Year in Review reports
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2022-03-17
Published
2022-12-13
Added to CISA KEV
Exploited in the wild