Skip to the main content.
Government Programs
Integrated technology, solutions, and services that support rapid innovation within the DoD ecosystem.

CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR®/RMF Pro)
ATO/RMF Support

Book GP Demo

Professional Services
Expertise in security strategy, incident response readiness, policy development, and risk assessments.

Risk Assessments
vCISO
Penetration Testing

Book ProServ Demo

Digital Forensics & Incident Response
Are You Under Attack?

If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.

CONTACT US

Subscribe-to-NetSec-News-v4Subscribe to NetSec News

Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.

SIGN UP

Ingalls Information Security

At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.

Meet The Leadership Team

3 min read

Veeam Server RCE Cybersecurity Advisory

The Veeam Distribution Service installed on Veeam Backup & Replication servers runs on TCP 9380 with default settings, and allows unauthenticated users to access internal API functions. This may allow a remote attacker to send input to the internal API which could lead to uploading and execution of malicious code.

Further, a vulnerability (CVE-2022-26504) exists in a component of Veeam Backup & Replication that is used for Microsoft System Center Virtual Machine Manager (SCVMM) integration. Authentication using non-administrative domain credentials is allowed via the Veeam.Backup.PSManager.exe process using default settings on TCP 8732.

Note: Only Veeam Backup & Replication installations with an SCVMM server registered are vulnerable to CVE-2022-26504. Default installations would not be affected; however, until they’re patched, they remain subject to the other two listed CVEs.

The vulnerabilities were reported by Nikita Petrov (Positive Technologies).


Affected Software / System

This advisory specifically applies to the following products:

  • Veeam Backup & Replication v9.5
  • Veeam Backup & Replication v10
  • Veeam Backup & Replication v11



CVE (if applicable)

  • CVE-2022-26500
  • CVE-2022-26501
  • CVE-2022-26504


Type

Veeam Distribution Service Remote Code Execution


Exploit Status: 

Unknown. No known POCs are available yet, but weaponization is anticipated soon.


Rating

CVE-2022-26500 & CVE-2022-26501
Severity: Critical
CVSS v3 score: 9.8

CVE-2022-26504
Severity: Important/High
CVSS v3 score: 8.8


Impact

Vulnerabilities CVE-2022-26500 and CVE-2022-26501 in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system.

Vulnerability CVE-2022-26504 allows for authentication using non-administrative domain credentials. This vulnerability allows malicious domain users to remotely execute arbitrary code and may lead to gaining control over the target system.

Once a targeted system is compromised, there is a high risk of an organization's infrastructure backups being corrupted and/or ransomed, as well as a risk of lateral movement by the threat actor.

In general, Ingalls highly discourages organizations from exposing Veeam servers to the Internet. If these servers are web-exposed, these vulnerabilities can be leveraged for lateral movement, privilege escalation, data exfiltration, and to establish persistence post-compromise.


Temporary Mitigation

Disable the Veeam Distribution Service: The most secure mitigation option is for organizations to disable the Distribution Service on the Backup & Replication server (and any specified as distribution servers in Protection Groups) until it can be patched. However, this may not be possible or appropriate in all environments.

Mitigation/Workaround Impact: Disabling the Distribution Service prevents the Veeam architecture from uploading the Veeam Agent setup file, preventing automated agent deployment.


Ingalls recommends the following actions:

Veeam has released two new versions of Veeam Backup & Replication to address all three of these vulnerabilities. It is recommended that the latest version respective of your installations be installed immediately on the Veeam Backup & Replication server. Managed servers with Veeam Distribution Service will be updated automatically after installing the patch.

VEEAM BACKUP & REPLICATION V9.5

Veeam Backup & Replication v9.5 is currently unsupported. If you are running Veeam Backup & Replication v9.5 U4b v9.5.4.2866 use the ISO to upgrade to Veeam Backup & Replication v11a 11.0.1.1261 P20220302.

VEEAM BACKUP & REPLICATION V10

Veeam Backup & Replication v10a v10.0.1.4854 P20220304 addresses the above three vulnerabilities when you install it on the Veeam Backup & Replication Server.

This patch can be installed on Veeam Backup & Replication installations running v10.0.1.4854. When running a previous version of Veeam Backup & Replication, update to version 10a (10.0.1.4854) before installing the patch.

Note: Installing the patch to address these three vulnerabilities will prevent upgrades to Veeam Backup & Replication v11 and will only be compatible with an upgrade to Veeam Backup & Replication v11a.

Note: Veeam Cloud Connect service providers running Veeam Backup & Replication v10a need to upgrade directly to version 11 instead.

VEEAM BACKUP & REPLICATION V11

Veeam Backup & Replication v11a 11.0.1.1261 P20220302 addresses the above three vulnerabilities when you install it on the Veeam Backup & Replication Server.

This patch can be installed on Veeam Backup & Replication installations running v11.0.1.1261. When running a previous version of Veeam Backup & Replication, update to version 10a (10.0.1.4854) before installing the patch.

 

Ingalls is dedicated to protecting your network and your information by providing defense-in-depth security through your Managed Detection & Response (MDR) service. As an added layer of defense, Ingalls now offers monitoring and support by a team of live Security Analysts in our Security Operations Center (SOC) 24 hours a day, every day of the year. ‘Round the clock, MDR provides extended coverage with continuous analysis, response and escalation so you can have the peace of mind that comes from knowing your network is being monitored in real-time even if your business hours have stopped. Please contact us for more information.

Cybersecurity Advisory: Patches for 6 Actively Exploited Zero Days

Cybersecurity Advisory: Patches for 6 Actively Exploited Zero Days

It's important that organizations deploy last week's "Patch Tuesday" patches as soon as possible. These patches include several critical, high, and...

Read More
Cybersecurity Advisory for Spring4Shell & Spring Cloud

Cybersecurity Advisory for Spring4Shell & Spring Cloud

Spring4Shell: This new vulnerability was released as a Proof-of-Concept by AntGroup FG Security Lab on March 29, 2022, and it was found to lead to a...

Read More
Citrix ADC and Citrix Gateway Vulnerabilities

Citrix ADC and Citrix Gateway Vulnerabilities

On July 18th, 2023, Citrix issued an alert to customers regarding a critical vulnerability (CVE-2023-3519) in its NetScaler ADC and NetScaler Gateway...

Read More