CVE-2022-26501 : Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 o

Products affected by CVE-2022-26501

Veeam » Veeam Backup & Replication
Versions from including (>=) 10.0.0.4442 and before (<) 10.0.1.4854
cpe:2.3:a:veeam:veeam_backup_\&_replication:*:*:*:*:*:*:*:*
Matching versions
Veeam » Veeam Backup & Replication
Versions from including (>=) 11.0.0.825 and before (<) 11.0.1.1261
cpe:2.3:a:veeam:veeam_backup_\&_replication:*:*:*:*:*:*:*:*
Matching versions
Veeam » Veeam Backup & Replication » Version: 10.0.1.4854
cpe:2.3:a:veeam:veeam_backup_\&_replication:10.0.1.4854:-:*:*:*:*:*:*
Matching versions
Veeam » Veeam Backup & Replication » Version: 10.0.1.4854 Update P20201202
cpe:2.3:a:veeam:veeam_backup_\&_replication:10.0.1.4854:p20201202:*:*:*:*:*:*
Matching versions
Veeam » Veeam Backup & Replication » Version: 10.0.1.4854 Update P20210609
cpe:2.3:a:veeam:veeam_backup_\&_replication:10.0.1.4854:p20210609:*:*:*:*:*:*
Matching versions
Veeam » Veeam Backup & Replication » Version: 11.0.1.1261
cpe:2.3:a:veeam:veeam_backup_\&_replication:11.0.1.1261:-:*:*:*:*:*:*
Matching versions
Veeam » Veeam Backup & Replication » Version: 11.0.1.1261 Update P20211123
cpe:2.3:a:veeam:veeam_backup_\&_replication:11.0.1.1261:p20211123:*:*:*:*:*:*
Matching versions
Veeam » Veeam Backup & Replication » Version: 11.0.1.1261 Update P20211211
cpe:2.3:a:veeam:veeam_backup_\&_replication:11.0.1.1261:p20211211:*:*:*:*:*:*
Matching versions

CVE-2022-26501 is in the CISA Known Exploited Vulnerabilities Catalog

This issue is known to have been leveraged as part of a ransomware campaign.

CISA vulnerability name:

Veeam Backup & Replication Remote Code Execution Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may lead to uploading and executing of malicious code.

Notes:

https://www.veeam.com/kb4288; https://nvd.nist.gov/vuln/detail/CVE-2022-26501

Added on 2022-12-13 Action due date 2023-01-03

Exploit prediction scoring system (EPSS) score for CVE-2022-26501

EPSS FAQ

5.73%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 94 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-26501

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-03
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-26501

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-26501