PT-2022-1828 · Veeam · Veeam Backup & Replication
Nikita Petrov
·
Published
2022-03-12
·
Updated
2025-11-03
·
CVE-2022-26500
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Veeam Backup & Replication versions 9.5U3 through 9.5U4, 10.x, and 11.x
Description
An improper limitation of path names allows remote authenticated users to access internal API functions. This access could allow attackers to upload and execute arbitrary code. The issue is related to the Distribution Service and involves deficiencies in access control. Exploitation occurs through the TCP port
9380. The vulnerability allows attackers to upload specially crafted data.Recommendations
Veeam Backup & Replication versions 9.5U3 through 9.5U4 should be updated.
Veeam Backup & Replication 10.x should be updated.
Veeam Backup & Replication 11.x should be updated.
Fix
Improper Privilege Management
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Veeam Backup & Replication