Multiple RCE Vulnerabilities Discovered in Veeam Backup & Replication App

Written by

Several critical and high-severity vulnerabilities have been discovered affecting the Veeam Backup & Replication application that could be exploited by advertising fully weaponized tools for remote code execution (RCE).

The findings come from security researchers at CloudSEK, who published an advisory about them earlier today.

“Several threat actors were seen advertising the fully weaponized tool for remote code execution to exploit the following vulnerabilities affecting Veeam Backup & Replication: CVE-2022-26500 and CVE-2022-26501 with a CVSS V3 score of 9.8 and CVE-2022-26504 with a CVSS V3 score of 8.8,” reads the technical write-up.

According to CloudSEK, the successful exploitation of these common vulnerabilities and exposures (CVEs) can lead to copying files within the boundaries of the locale or from a remote Server Message Block (SMB) network, RCE without authorization or RCE/LPE without authorization.

From a technical standpoint, Veeam Backup & Replication is a proprietary backup app for virtual environments built on VMware vSphere, Nutanix AHV and Microsoft Hyper-V hypervisors.

The application not only backs up and recovers virtual machines (VMs) but can also be used to protect and restore individual files and applications for environments such as Exchange and SharePoint.

As for attribution, CloudSEK has said malware named ‘Veeamp’ was found in the wild and used by the Monti and Yanluowang ransomware groups to dump credentials from an SQL database for Veeam backup management software.

The company has also found a GitHub repository named “veeam-creds” that contained scripts for recovering passwords from the Veeam Backup & Replication credential manager alongside three malicious files.

CloudSEK has disclosed the above vulnerabilities to Veeam, which has already released patches in the version of its software.

The text of the CloudSEK advisory is available on the company website and contains a complete list of Indicators of Compromise (IoCs).

Its publication comes a couple of months after virtualization technology software firm VMware released patches to fix a severe vulnerability in its VMware Tools suite of utilities.

What’s hot on Infosecurity Magazine?