CVE-2022-26504: 
Veeam Backup & Replication vulnerability analysis and mitigation

Improper authentication vulnerability (CVE-2022-26504) affects Veeam Backup & Replication versions 9.5U3, 9.5U4, 10.x, and 11.x component used for Microsoft System Center Virtual Machine Manager (SCVMM) integration. The vulnerability was discovered and disclosed in March 2022, with a CVSS v3 score of 8.8 (High severity) (Veeam KB, CloudSEK Report).

The vulnerable process Veeam.Backup.PSManager.exe (TCP 8732 by default) allows authentication using non-administrative domain credentials. The vulnerability only affects Veeam Backup & Replication installations with an SCVMM server registered, while default installations are not vulnerable (Veeam KB).

A successful exploitation of this vulnerability allows attackers to execute arbitrary code remotely, which can lead to gaining control over the target system. The vulnerability affects Veeam Backup & Replication, which is used by 70% of Fortune 2000 companies, including major firms such as Volkswagen, Siemens, Deloitte, Shell, Fujitsu, Airbus, and Puma (SecurityWeek).

Patches were released for Veeam Backup & Replication versions 11a (build 11.0.1.1261 P20220302) and 10a (build 10.0.1.4854 P20220304). The patch must be installed on the Veeam Backup & Replication server. All new deployments of versions 11 and 10 installed using ISO images dated 20220302 or later are not vulnerable (Veeam KB).

The vulnerability gained significant attention when CloudSEK reported multiple threat actors advertising a fully weaponized tool for remote code execution. Additionally, researchers discovered a GitHub repository containing scripts for recovering passwords from the Veeam Backup and Replication credential manager (CloudSEK Report).