Veeam Software has released updates to two critical security vulnerabilities affecting Backup & Replication, a backup solution for virtual environments.
Unauthenticated threat actors can exploit two security vulnerabilities tracked with codes CVE-2022-26500 and CVE-2022-26501 to remote code execution. The vulnerabilities exist in the Veeam Distribution service running on TCP port 9380 by default, allowing unauthenticated users to access internal Veeam API functions. Threat actors who exploit vulnerabilities to execute code on the target system can send inputs to the Veeam API to load and run malicious code.
Critical vulnerabilities affect Veeam Backup & Replication versions 9.5, 10, and 11. Unfortunately, Veeam Software has only released updates that fix the vulnerability for versions 10 and 11. For this reason, it is recommended that users using version 9.5 upgrade to a supported version.