Vulnerability DatabaseCVE-2024-28222

CVE-2024-28222:
Veritas NetBackup Client vulnerability analysis and mitigation

Overview

A critical security vulnerability (CVE-2024-28222) has been discovered in Veritas NetBackup, affecting versions before 8.1.2 and NetBackup Appliance before 3.1.2. The vulnerability exists in the NetBackup BPCD process, which inadequately validates file paths, allowing unauthenticated attackers to upload and execute custom files. This vulnerability has received a CVSS v3.1 base score of 9.8, indicating its critical severity (NVD, Veritas Advisory).

Technical details

The vulnerability (CVE-2024-28222) is classified as a Remote Code Execution (RCE) vulnerability, stemming from insufficient validation of file paths in the NetBackup BPCD process. The critical severity rating (CVSS v3.1 score of 9.8) is based on the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no required privileges, and no user interaction needed for exploitation. The vulnerability is also associated with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

Impact

The vulnerability enables attackers to potentially steal sensitive data, access critical backups, deploy ransomware to encrypt backups and disrupt recovery efforts, and gain a foothold within networks to launch wider attacks. Given NetBackup's role in safeguarding organizational data, successful exploitation could lead to devastating consequences, including financial losses and reputational damage (Security Online).

Mitigation and workarounds

For NetBackup users running versions prior to 8.1.2, upgrading to version 8.3.0.2 or later is recommended. Users of NetBackup Appliance running versions prior to 3.1.2 should upgrade to version 3.3.0.2 MR2 or later. Organizations currently running version 8.1.2 or later of NetBackup, or 3.1.2 or later of NetBackup Appliance, require no immediate action (Veritas Advisory).

Additional resources

Source: This report was generated using AI

Related Veritas NetBackup Client vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2024-28222	CRITICAL	9.8	Veritas NetBackup Client	cpe:2.3:a:veritas:netbackup	No	Yes	Mar 07, 2024
CVE-2024-52945	HIGH	7.8	Veritas NetBackup Client	cpe:2.3:a:veritas:netbackup	No	Yes	Nov 18, 2024
CVE-2023-28759	HIGH	7.8	Veritas NetBackup Client	cpe:2.3:a:veritas:netbackup	No	Yes	Mar 23, 2023
CVE-2024-33672	HIGH	7.1	Veritas NetBackup Client	cpe:2.3:a:veritas:netbackup	No	Yes	Apr 26, 2024
CVE-2023-28758	HIGH	7.1	Veritas NetBackup Client	cpe:2.3:a:veritas:netbackup	No	Yes	Mar 23, 2023

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2024-28222: Veritas NetBackup Client vulnerability analysis and mitigation