The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities impacting Veeam Backup & Replication software to its Known Exploited Vulnerabilities (KEV) Catalogue, citing evidence of active exploitation in the wild.
The now-patched critical flaws, tracked as CVE-2022-26500 and CVE-2022-26501, are both rated 9.8 on the CVSS scoring system, and could be leveraged to gain control of a target system.
“The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions,” Veeam noted in an advisory published in March 2022. “A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.”
Both the issues that impact product versions 9.5, 10, and 11 have been addressed in versions 10a and 11a. Users of Veeam Backup & Replication 9.5 are advised to upgrade to a supported version.
images from Hacker News