--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Multiple Critical Vulnerabilities in Veeam' version: '1.0' number: '2022-019' date: 'March 21, 2022' --- _History:_ * _21/03/2022 --- v1.0 -- Initial publication_ # Summary On 12/03/2022 Veeam has published multiple critical vulnerabilities (CVE-2022-26500, CVE-2022-26501) [2, 3] in Veeam products which allow remote code execution without authentication. This vulnerability may lead to gaining control over the targeted system. The publication was last modified by Veeam on 18/03/2022 [1]. # Technical Details The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may allow unauthenticated users to upload and execute malicious code on the affected products. # Affected Products According to Veeam the affected products are: - Veeam Backup & Replication 9.5 - Veeam Backup & Replication 10 - Veeam Backup & Replication 11 However, all new deployments of Veeam Backup & Replication version 11a and 10a installed using the ISO images dated 20220302 or later are not vulnerable [1]. # Recommendations and Mitigations CERT-EU recommends following the specific steps listed for each of the following version of the product: Patches are available for the following product versions [1]: - Veeam Backup & Replication 11a (build 11.0.1.1261 P20220302) - Veeam Backup & Replication 10a (build 10.0.1.4854 P20220304) There is no patch for the Veeam Backup & Replication 9.5, because the support of the product has ended on January 2022 [4]. Veeam suggests upgrading to supported versions of the product [5]. As a temporary mitigation of the vulnerabilities it is suggested by Veeam to stop and disable the Veeam Distribution Service. The Veeam Distribution Service is installed on the Veeam Backup & Replication server and servers specified as distribution servers in Protection Groups. # References [1] [2] [3] [4] [5]