cbcvebase.
CVE-2022-26500
published 2022-03-17

CVE-2022-26500: Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions…

PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2023-01-03
Exploited in the wild
EPSS
5.94%
92.4th percentile
Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.

Affected

6 ranges
VendorProductVersion rangeFixed in
veeamveeam_backup_replication
veeamveeam_backup_replication
veeamveeam_backup_replication
veeamveeam_backup_replication
veeamveeam_backup_replication>= 10.0.0.4442 < 10.0.1.485410.0.1.4854
veeamveeam_backup_replication>= 11.0.0.825 < 11.0.1.126111.0.1.1261

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is exploited via the Veeam Distribution Service, which allows unauthenticated users to access internal API functions — monitor for unexpected or unauthenticated requests to the Veeam Distribution Service API endpoint.
  • The attack vector involves improper limitation of path names to reach internal API functions — monitor for path traversal patterns in requests to Veeam Backup & Replication services.
  • Post-exploitation activity includes uploading and executing arbitrary/malicious code — monitor Veeam Backup & Replication hosts for unexpected new executable files or process spawning from Veeam service processes.
  • ·Affected versions are Veeam Backup & Replication 9.5U3, 9.5U4, 10.x, and 11.x — detections should be scoped to these versions; patched instances per KB4288 are not vulnerable.
  • ·The NVD description states exploitation requires remote authenticated users, while CISA's description states unauthenticated access is possible — detection logic should account for both authenticated and unauthenticated attack scenarios against the Veeam Distribution Service.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.