There are currently two critical Common Vulnerabilities and Exposures (CVEs) that affect Veeam Backup & Replication and account for two of the three critical Veeam Backup & Replication CVEs and the most serious of the products affected as at the time of writing this piece. The Critical Veeam Backup & Replication vulnerability notes include CVE-2022-26500 | CVE-2022-26501. Kindly refer to these related guides: Veeam Certified Architect: A review of the VMCA Training & Certification, Standalone Veeam ONE installation: How to set up Veeam ONE 11 Server, how to uninstall Veeam Backup and Replication from your server, and Azure Backup and Recovery: How to setup Veeam Backup for Microsoft Azure [Part 1]
These two CVEs (CVE-2022-26500, CVE–2022-26501) allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. This carries a CVSS rating of 9.8 and its severity classified as Critical. Here is a fix for Veeam Agent vulnerability for Microsoft Windows.
The vulnerability is caused by the Veeam Distribution Service running on TCP 9380 by default. This allows unauthenticated users to access internal Veeam API functions. An attacker may send input to the Veeam API which may allow uploading and executing malicious code.
Worth noting: All new deployments of Veeam Backup & Replication versions 11 and 10 installed using the ISO images dated 20220302 or later are not vulnerable.
How can I temporarily resolve this issue?
This is the current workaround described by Veeam. It is recommended to stop and disable the Veeam Distribution Service. The Veeam Distribution Service is installed on the Veeam Backup & Replication server and servers specified as distribution servers in Protection Groups.
This temporal solution is only recommended when you do not have a maintenance window available to patch the VBR Server.
It is worth noting that patches are available for Veeam 11a and 10a below. The patch must be installed on the Veeam Backup & Replication server. Managed servers with Veeam Distribution Service will be updated automatically after installing the patch.
Note: If you are using Veeam Backup & Replication 9.5, please upgrade to a supported product version.