Veeam Backup & Replication Issue

Derek Wells

Mar 14, 2022

Veeam has released patches for two critical issues impacting Backup and Replication which provides backup and restore capabilities for virtual environments running on Hyper-V, vSphere, and Nutanix AHV, as well as for servers and workstations, and for cloud-based workloads.

The two vulnerabilities- CVE-2022-26500 and CVE-2022-26501, which clock in at a 9.8 on the CVSS (Common Vulnerability Scoring System) can be used to execute code remotely and without authentication.


Veeam Backup & Replication versions 9.5, 10, and 11 are impacted by the two bugs, but patches were released for versions 10 and 11 only. Thus, those still using version 9.5 are advised to migrate to a supported release.


CVE-2022-26504 impacts Microsoft System Center Virtual Machine Manager (SCVMM) integration and could allow remote code execution even without admin credentials.


CVE-2022-26503 impacts Veeam Agents for Microsoft Windows and can be used to alter privlidges and run code as LOCAL SYSTEM. The bug exists because code sent to the network port opened by Veeam Agent is not deserialized correctly.