CVE-2022-26501: 
Veeam Backup & Replication vulnerability analysis and mitigation

CVE-2022-26501 is a critical vulnerability affecting Veeam Backup & Replication versions 9.5, 10.x, and 11.x. The vulnerability was discovered by Nikita Petrov from Positive Technologies and disclosed in March 2022. It involves improper authentication that allows attackers to execute arbitrary code remotely without authentication (CVE Details, Veeam KB).

The vulnerability has received a critical CVSS v3.1 base score of 9.8 and a CVSS v2.0 score of 10.0. The vulnerability exists in the Veeam Distribution Service (TCP port 9380 by default), which allows unauthenticated users to access internal API functions. A remote attacker can send malicious input to the internal API, potentially leading to code execution (NVD, Veeam KB).

Successful exploitation of this vulnerability could result in complete system compromise, allowing attackers to gain control over the target system. The potential impacts include data loss, ransomware infection, and denial-of-service attacks. The vulnerability has been observed being exploited by ransomware groups like Monti and Yanluowang to steal login information from Veeam backup management software SQL databases (SOCRadar).

Veeam has released patches for versions 10 and 11 with builds 10a (10.0.1.4854 P20220304) and 11a (11.0.1.1261 P20220302) respectively. Users of version 9.5 are advised to upgrade to a supported version. As a temporary mitigation, organizations can stop and disable the Veeam Distribution Service on both the Veeam Backup & Replication server and servers specified as distribution servers in Protection Groups (Veeam KB).