CVE-2022-26501
published 2022-03-17CVE-2022-26501: Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-01-03
Exploited in the wild
EPSS
4.28%
89.9th percentile
Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veeam | veeam_backup_replication | — | — |
| veeam | veeam_backup_replication | — | — |
| veeam | veeam_backup_replication | >= 10.0.0.4442 < 10.0.1.4854 | 10.0.1.4854 |
| veeam | veeam_backup_replication | >= 11.0.0.825 < 11.0.1.1261 | 11.0.1.1261 |
Detection & IOCsextracted from sources · hover to see the quote
- →The Veeam Distribution Service exposes internal API functions to unauthenticated users; monitor for unauthenticated remote calls to the Veeam Distribution Service API as a detection signal for exploitation attempts. ↗
- →CVE-2022-26501 affects Veeam Backup & Replication 10.x and 11.x; scope detection and patching efforts to these specific version branches. ↗
- ·Vendor patch guidance is available at https://www.veeam.com/kb4288; apply updates per vendor instructions to remediate the unauthenticated API access path. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Veeam Backup & Replication Remote Code Execution Vulnerability
cisa·2022-12-13·CVSS 9.8
CVE-2022-26501 [CRITICAL] CWE-306 Veeam Backup & Replication Remote Code Execution Vulnerability
Vulnerability: Veeam Backup & Replication Remote Code Execution Vulnerability
Affected: Veeam Backup & Replication
The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may lead to uploading and executing of malicious code.
Required Action: Apply updates per vendor instructions.
Notes: https://www.veeam.com/kb4288; https://nvd.nist.gov/vuln/detail/CVE-2022-26501
Remediation Due Date: 2023-01-03
GHSA
GHSA-vhpf-rh57-x3v9: Veeam Backup & Replication 10
ghsa_unreviewed·2022-03-18
CVE-2022-26501 [CRITICAL] CWE-306 GHSA-vhpf-rh57-x3v9: Veeam Backup & Replication 10
Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).
VulnCheck
Veeam Backup & Replication Remote Code Execution Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-26501 [CRITICAL] CWE-306 Veeam Backup & Replication Remote Code Execution Vulnerability
Veeam Backup & Replication Remote Code Execution Vulnerability
The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may lead to uploading and executing of malicious code.
Affected: Veeam Backup & Replication
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication/; https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://securelist.com/cuba-ransomware/110533/; https:/
No detection rules found.
No public exploits indexed.
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations | Qualys
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations | Qualys
#### Table of Contents
- Who is LockBit? How it Evolved and Operates
- Monero: The Coin of the Realm
- Patch or Mitigate Now: Critical CVEs Exploited by LockBit
- Beyond Traditional Endpoints: Other Compromised Systems
- Initial Access and Deployment
- Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
## Table of Contents
Who is LockBit? How it Evolved and Operates
Monero: The Coin of the Realm
Patch or Mitigate Now: Critical CVEs Exploited by LockBit
Beyond Traditional Endpoints: Other Compromised Systems
Initial Access and Deployment
Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will leverage
Securelist
From Caribbean shores to your devices: analyzing Cuba ransomware
blogs_securelist·2023-09-11
From Caribbean shores to your devices: analyzing Cuba ransomware
Table of Contents
Introduction
Cuba ransomware gang
Victimology
Ransomware
Cuba extortion model
Arsenal
Profits
Investigation of a Cuba-related incident and analysis of the malware
Host: SRV_STORAGE
Bughatch
SRV_Service host
Veeamp
Avast Anti-Rootkit driver
Burntcigar
SRV_MAIL host (Exchange server)
SqlDbAdmin
Cobalt Strike
New malware
BYOVD (Bring Your Own Vulnerable Driver)
Conclusion
Appendix
Authors
Alexander Kirichenko
Gleb Ivanov
## Introduction
Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope th
Securelist
Analysis of Cuba ransomware gang activity and tooling
blogs_securelist·2023-09-11
Analysis of Cuba ransomware gang activity and tooling
Table of Contents
- Introduction
- Cuba ransomware gang
- Victimology
- Ransomware
- Cuba extortion model
- Arsenal
- Profits
- Investigation of a Cuba-related incident and analysis of the malware
- New malware
- BYOVD (Bring Your Own Vulnerable Driver)
- Conclusion
- Appendix
Authors
- Alexander Kirichenko
- Gleb Ivanov
## Introduction
Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope this article will help you to stay one step ahead of threats like this one.
## Cuba ransomware gang
Cuba data leak site
The group’s offe
Talos
Threat Source newsletter (Dec. 15, 2022): Talos Year in Review is here
blogs_talos·2022-12-15
Threat Source newsletter (Dec. 15, 2022): Talos Year in Review is here
Welcome to this week’s edition of the Threat Source newsletter.
It’s the most wonderful time of the year, and I’m not talking about the holidays. The inaugural 2022 Talos Year in Review is here! And it’s taking over the final Threat Source newsletter of the year. Oh and did we mention we’re on Mastodon now? Talos, the gift that keeps on giving.
## The one big thing
The 2022 Talos Year in Review is officially launched and with it a compressive story of our work in the past year relying on a wide variety of data and expertise. We expect this data-driven story will shed some insight into Cisco’s and the security community’s most notable successes and remaining challenges. In addition, as these Year in Review reports continue in the future, we aim to provide data and narratives that help ex
Talos
Threat Source newsletter (Dec. 15, 2022): Talos Year in Review is here
blogs_talos·2022-12-15
Threat Source newsletter (Dec. 15, 2022): Talos Year in Review is here
## Threat Source newsletter (Dec. 15, 2022): Talos Year in Review is here
Welcome to this week’s edition of the Threat Source newsletter.
It’s the most wonderful time of the year, and I’m not talking about the holidays. The inaugural 2022 Talos Year in Review is here! And it’s taking over the final Threat Source newsletter of the year. Oh and did we mention we’re on Mastodon now? Talos, the gift that keeps on giving.
## The one big thing
The 2022 Talos Year in Review is officially launched and with it a compressive story of our work in the past year relying on a wide variety of data and expertise. We expect this data-driven story will shed some insight into Cisco’s and the security community’s most notable successes and remaining challenges. In addition, as these Year in Review reports
Qualys
Introducing Qualys Threat Research Thursdays
blogs_qualys·2022-09-01
Introducing Qualys Threat Research Thursdays
## Table of Contents
Threat Intelligence from the Qualys Blog
New Threat Hunting Tools & Techniques
New Vulnerabilities
Introducing the Monthly Threat Thursdays Webinar
Welcome to the first edition of the Qualys Research Team’s “Threat Research Thursday” where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. We will endeavor to issue these update reports regularly, as often as every other week, or as our threat intelligence output warrants.
## Threat Intelligence from the Qualys Blog
Here is a roundup of the most interesting blogs from the Qualys Research Team from the past couple of weeks:
New Qualys Research Report: Evolution of Quasar RAT – This free downloadable report gives a sneak peek of the
Qualys
Introducing Qualys Threat Research Thursdays | Qualys
blogs_qualys·2022-09-01
Introducing Qualys Threat Research Thursdays | Qualys
#### Table of Contents
- Threat Intelligence from the Qualys Blog
- New Threat Hunting Tools & Techniques
- New Vulnerabilities
- Introducing the Monthly Threat Thursdays Webinar
Welcome to the first edition of the Qualys Research Team’s “Threat Research Thursday” where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. We will endeavor to issue these update reports regularly, as often as every other week, or as our threat intelligence output warrants.
## Threat Intelligence from the Qualys Blog
Here is a roundup of the most interesting blogs from the Qualys Research Team from the past couple of weeks:
- New Qualys Research Report: Evolution of Quasar RAT – This free downloadable report gives a sneak pee
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2022-03-17
Published
2022-12-13
Added to CISA KEV
Exploited in the wild