Get in Touch
Veeam have published details of multiple critical vulnerabilities (CVE-2022-26500, CVE2022-26501) in their Backup & Replication software. The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions.
A remote attacker may send input to the internal API which may lead to the uploading and executing of malicious code.
Check if TCP port 9380 is exposed to the internet.
- Veeam Backup & Replication 9.5
- Veeam Backup & Replication 10
- Veeam Backup & Replication 11
Containment, Mitigations & Remediations
Patches are available for Veeam Backup versions 10a and 11a, but 9.5 is unsupported.
Indicators of Compromise
No known exploitation.
Backup solutions are highly desirable targets for extortion gangs as compromising backups makes it harder for organisations to recover from attacks such as ransomware. Veeam has been one backup solution which has been deliberately targeted by a variety of threat actors due to the large client base and the nature and size of those clients.
T1190 – Exploit Public-Facing Application.