1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Veeam Backup & Replication Remote Code Execution Vulnerability

Known Exploited Vulnerabilities CVE-2022-26501 Mappings

Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2022-26501 Veeam Backup & Replication Remote Code Execution Vulnerability secondary_impact T1036 Masquerading
Comments
This vulnerability is exploited by a remote, unauthenticated attacker to access internal API functions and send malicious code to the Veeam Distribution Service via the default TCP port 9380. This vulnerability has been exploited by threat actors associated with the AvosLocker ransomware. Kroll analysts have observed these actors using this vulnerability, alongside CVE-2022-26500, to potentially exfiltrate data and download malicious tools while appearing as legitimate activity to evade detection.
References
  1. https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update
  2. https://thehackernews.com/2022/12/cisa-alert-veeam-backup-and-replication.html
  3. https://www.cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication
  4. https://www.rapid7.com/db/vulnerabilities/veeam-backup-and-replication-cve-2022-26501/
CVE-2022-26501 Veeam Backup & Replication Remote Code Execution Vulnerability secondary_impact T1048 Exfiltration Over Alternative Protocol
Comments
This vulnerability is exploited by a remote, unauthenticated attacker to access internal API functions and send malicious code to the Veeam Distribution Service via the default TCP port 9380. This vulnerability has been exploited by threat actors associated with the AvosLocker ransomware. Kroll analysts have observed these actors using this vulnerability, alongside CVE-2022-26500, to potentially exfiltrate data and download malicious tools while appearing as legitimate activity to evade detection.
References
  1. https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update
  2. https://thehackernews.com/2022/12/cisa-alert-veeam-backup-and-replication.html
  3. https://www.cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication
  4. https://www.rapid7.com/db/vulnerabilities/veeam-backup-and-replication-cve-2022-26501/
CVE-2022-26501 Veeam Backup & Replication Remote Code Execution Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
This vulnerability is exploited by a remote, unauthenticated attacker to access internal API functions and send malicious code to the Veeam Distribution Service via the default TCP port 9380. This vulnerability has been exploited by threat actors associated with the AvosLocker ransomware. Kroll analysts have observed these actors using this vulnerability, alongside CVE-2022-26500, to potentially exfiltrate data and download malicious tools while appearing as legitimate activity to evade detection.
References
  1. https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update
  2. https://thehackernews.com/2022/12/cisa-alert-veeam-backup-and-replication.html
  3. https://www.cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication
  4. https://www.rapid7.com/db/vulnerabilities/veeam-backup-and-replication-cve-2022-26501/
CVE-2022-26501 Veeam Backup & Replication Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability is exploited by a remote, unauthenticated attacker to access internal API functions and send malicious code to the Veeam Distribution Service via the default TCP port 9380. This vulnerability has been exploited by threat actors associated with the AvosLocker ransomware. Kroll analysts have observed these actors using this vulnerability, alongside CVE-2022-26500, to potentially exfiltrate data and download malicious tools while appearing as legitimate activity to evade detection.
References
  1. https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update
  2. https://thehackernews.com/2022/12/cisa-alert-veeam-backup-and-replication.html
  3. https://www.cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication
  4. https://www.rapid7.com/db/vulnerabilities/veeam-backup-and-replication-cve-2022-26501/