← back
CVE-2022-26500

CVE-2022-26500

CVSS 8.8 HIGHEPSS 5.9%● KEVCWE-22
Vexday Risk Score
51Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 8.8EPSS 5.9%KEV simPoC Nuclei Metasploit Patch
Lifecycle
17 Mar 2022Published on NVD
13 Dec 2022Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

A security flaw in Veeam Backup & Replication allows authenticated users to bypass path restrictions and access internal API functions, enabling them to upload and run malicious code on the system.

Technical detail

Improper path validation (CWE-22) in Veeam Backup & Replication 9.5U3-U4, 10.x, and 11.x permits authenticated remote attackers to circumvent access controls on internal API endpoints, facilitating arbitrary code upload and execution with elevated privileges.

Summary generated and translated by AI from the official description.
Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://veeam.comhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26500https://www.veeam.com/kb4288