cbcvebase.
CVE-2022-26501
published 2022-03-17

CVE-2022-26501: Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-01-03
Exploited in the wild
EPSS
4.28%
89.9th percentile
Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).

Affected

4 ranges
VendorProductVersion rangeFixed in
veeamveeam_backup_replication
veeamveeam_backup_replication
veeamveeam_backup_replication>= 10.0.0.4442 < 10.0.1.485410.0.1.4854
veeamveeam_backup_replication>= 11.0.0.825 < 11.0.1.126111.0.1.1261

Detection & IOCsextracted from sources · hover to see the quote

  • The Veeam Distribution Service exposes internal API functions to unauthenticated users; monitor for unauthenticated remote calls to the Veeam Distribution Service API as a detection signal for exploitation attempts.
  • CVE-2022-26501 affects Veeam Backup & Replication 10.x and 11.x; scope detection and patching efforts to these specific version branches.
  • ·Vendor patch guidance is available at https://www.veeam.com/kb4288; apply updates per vendor instructions to remediate the unauthenticated API access path.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.