CVE-2021-27876

What is Veritas Backup Exec?

Veritas Backup Exec is an enterprise data protection platform widely used by organizations to back up servers, workstations, and application data to disk, tape, and cloud storage. The Backup Exec Agent (RAWS — Remote Agent for Windows Systems) is installed on every machine being backed up; it runs as a Windows service with elevated privileges and communicates with the central Backup Exec server over TCP port 10000. Because backup agents have broad read (and potentially write) access to the files on protected systems — and because backup infrastructure represents an organization's last line of defense against ransomware — compromising the backup agent gives attackers both intelligence (access to all protected data) and the ability to undermine recovery capability (modifying or deleting backup data to maximize ransomware impact).

Overview

CVE-2021-27876 is a file access vulnerability in the Veritas Backup Exec Agent resulting from a flaw in the SHA (hash-based) authentication protocol used by the agent's data management interface. An attacker with network access and low-privilege credentials (PR:L) can exploit the authentication weakness to gain unauthorized access to files on the Backup Exec Agent machine — reading protected data or modifying files outside the attacker's normal permission boundary. CVE-2021-27876 is part of a three-CVE cluster in Veritas advisory VTS21-001, alongside CVE-2021-27877 (SHA authentication bypass) and CVE-2021-27878 (arbitrary command execution). Veritas patched all three in March 2021; CISA added CVE-2021-27876 to the KEV catalog in April 2023, two years after the patch, confirming active ransomware exploitation of unpatched Backup Exec deployments.

Affected Versions

Technical Details

• Root cause: Weakness in the SHA authentication protocol used by the Backup Exec Agent's data management interface (TCP 10000) — the hash-based authentication can be exploited by an attacker who can communicate with the agent port; with valid low-privilege credentials (or using the authentication flaw), the attacker gains access to the file access API, which is normally restricted to authorized backup operations
• File read and write: The CVSS C:H/I:H profile indicates the attacker can both read (exfiltrate) files from the agent machine and write (modify) files — giving them access to all data protected by the backup agent and the ability to corrupt or tamper with backup content
• VTS21-001 cluster: CVE-2021-27876 (file access) + CVE-2021-27877 (SHA auth bypass) + CVE-2021-27878 (command execution) form a complete exploitation chain — CVE-2021-27877 bypasses authentication entirely, CVE-2021-27876 provides file access, and CVE-2021-27878 achieves remote code execution on the agent host
• Backup infrastructure targeting: Ransomware operators specifically target backup infrastructure to delete or corrupt backups before deploying ransomware on primary systems — ensuring victims cannot recover without paying the ransom; CVE-2021-27876 provides the file access needed to identify and corrupt/delete backup catalog and media files
• Two-year KEV gap: The April 2023 CISA KEV addition (two years after the March 2021 patch) reflects sustained exploitation of unpatched Backup Exec deployments by ransomware operators well after the patch was available

Discovery

Reported to Veritas and patched in security advisory VTS21-001 published March 1, 2021, covering CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878 together. The CISA KEV addition in April 2023 was prompted by confirmed ransomware operator exploitation of the Backup Exec Agent vulnerabilities in incidents where attackers specifically targeted backup infrastructure as part of ransomware deployment.

Exploitation Context

Backup software agents are among the highest-value targets for ransomware operators because compromising them simultaneously provides access to all protected data (intelligence gathering) and the ability to prevent recovery (deleting or corrupting backups). CVE-2021-27876 in Backup Exec is directly useful to ransomware groups in the pre-encryption phase: after gaining a foothold on a network, attackers identify Backup Exec agents (TCP port 10000), exploit CVE-2021-27876 to access backup catalogs and data, and either delete the backup data directly or prepare for corruption before detonating ransomware on primary systems. The April 2023 CISA KEV addition was associated with reported incidents where ransomware groups (including ALPHV/BlackCat and related affiliates) specifically targeted Backup Exec as part of multi-stage ransomware operations.

Remediation

1. Apply Veritas Backup Exec VTS21-001 patches for all installed Backup Exec versions (16.x, 20.x, 21.x) — see the Veritas support portal for specific patch packages
2. Restrict network access to Backup Exec Agent port (TCP 10000): only the authorized Backup Exec server should be able to reach agent ports; firewall rules should block all other sources from accessing this port
3. Review Backup Exec agent logs for unauthorized connection attempts or unexpected file access operations
4. Apply all three CVEs in VTS21-001 together — CVE-2021-27877 (auth bypass) and CVE-2021-27878 (command execution) are equally critical and must be patched alongside CVE-2021-27876
5. Implement offline and immutable backup copies: maintain at least one backup copy in an air-gapped, immutable, or cloud-based destination that cannot be modified via network-accessible Backup Exec agents — this preserves recovery capability even if the Backup Exec infrastructure is compromised
6. Monitor for connections to Backup Exec agent ports from unexpected source IPs; in well-configured environments, only the Backup Exec server should ever connect to agent ports