CVE-2022-26500: 
Veeam Backup & Replication vulnerability analysis and mitigation

CVE-2022-26500 is a critical vulnerability in Veeam Backup & Replication software versions 9.5U3, 9.5U4, 10.x, and 11.x. The vulnerability, discovered by Nikita Petrov from Positive Technologies, allows remote authenticated users to access internal API functions that could lead to arbitrary code execution. The flaw was disclosed in March 2022 and received a critical CVSS score of 9.8 (Veeam KB, Help Net Security).

The vulnerability stems from improper limitation of path names in the Veeam Distribution Service (TCP port 9380 by default). This service allows unauthenticated users to access internal API functions, where a remote attacker can send malicious input to the internal API, potentially leading to uploading and executing malicious code (SOCRadar, Veeam KB).

Successful exploitation of this vulnerability could result in attackers gaining complete control over the target system. The potential consequences include data loss, ransomware infection, and denial-of-service attacks. The vulnerability has been observed being exploited by ransomware groups such as Monti and Yanluowang to steal login information from Veeam backup management software SQL databases (SOCRadar).

Veeam has released patches for versions 10 and 11 with versions 10a (build 10.0.1.4854 P20220304) and 11a (build 11.0.1.1261 P20220302). Users of version 9.5 are advised to upgrade to a supported version. As a temporary workaround, organizations can stop and disable the Veeam Distribution Service. The patch must be installed on the Veeam Backup & Replication server, and managed servers with Veeam Distribution Service will be updated automatically after installing the patch (Veeam KB).