Critical vulnerabilities in Veeam backup solutions; update immediately

This weekend, technology firm Veeam announced the release of some security patches to address two critical vulnerabilities in Backup & Replication, a backup solution for virtual environments. This application provides data backup and restore capabilities for virtual machines running on Hyper-V, vSphere, and Nutanix AHV, among other cloud-based workstations.

Tracked as CVE-2022-26500 and CVE-2022-26501, these security flaws could be exploited for remote code execution (RCE) on affected systems without the need for authentication. Both problems received scores of 9.8/10 according to the Common Vulnerability Scoring System (CVSS).

According to the report, the flaws were identified in Veeam Distribution Service, which by default listens for TCP port 9380 and allows even unauthenticated users to access internal API functions. Remote threat actors can send information to the internal API, eventually allowing you to upload and execute malicious code without authentication.

The vulnerabilities reside in Veeam Backup & Replication versions 9.5, 10 and 11. The firm recommends that users who continue to deploy v9.5 migrate to a supported version to mitigate the risk of exploitation.

This update also contains patches for two severe vulnerabilities in Veeam Backup & Replication. Tracked as CVE-2022-26504, the first of these flaws lies in the component used for Microsoft System Center Virtual Machine Manager (SCVMM) integration and would allow unauthenticated threat actors to remotely execute code.

On the other hand, CVE-2022-26503 resides in Veeam Agent for Microsoft Windows and could be exploited to perform a privilege escalation attack and subsequent execution of arbitrary code such as LOCAL SYSTEM.

Veeam adds that patches must be installed on the Veeam Backup & Replication server, while servers managed with Veeam Distribution Service will automatically receive updates. As an additional security measure, in case patching is not immediately possible, the company recommends disabling Veeam Distribution Service. 

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.