CVE-2021-27878

What is the Backup Exec Agent Data Management Protocol?

The Veritas Backup Exec Agent exposes a data management protocol on TCP port 10000 that allows authorized Backup Exec servers to initiate backup jobs, restore files, query system information, and perform maintenance operations on the protected host. This protocol includes commands that instruct the agent to perform operations on the host — including file system operations and administrative tasks. Because the Backup Exec Agent runs as a Windows service with elevated privileges (typically LocalSystem or a high-privilege service account), commands executed through the agent's protocol run with those elevated privileges. Any vulnerability that allows an attacker to send arbitrary commands through the data management protocol results in high-privilege OS command execution on the protected host.

Overview

CVE-2021-27878 is a command execution vulnerability in the Veritas Backup Exec Agent that allows an attacker with low-privilege credentials (PR:L) to send a specially crafted data management protocol command that executes an arbitrary OS command on the Backup Exec Agent machine. The full impact (C:H/I:H/A:H) reflects complete host compromise — code execution in the context of the Backup Exec Agent service, which runs with high privileges. CVE-2021-27878 is the highest-impact vulnerability in the VTS21-001 cluster, providing remote code execution that when combined with CVE-2021-27877's authentication bypass enables unauthenticated RCE: auth bypass → command execution on every host with a Backup Exec agent. Veritas patched all three in March 2021; CISA added them to the KEV catalog in April 2023 following confirmed ransomware exploitation.

Affected Versions

Technical Details

• Root cause: Insufficient validation of data management protocol commands — the Backup Exec Agent processes a protocol command that includes an attacker-controlled string passed to an OS shell or execution context without proper sanitization, resulting in arbitrary command execution on the agent host
• Low-privilege requirement: PR:L — an attacker with any valid Backup Exec credential (including low-privilege accounts) can trigger this vulnerability; combined with CVE-2021-27877's authentication bypass, the effective requirement becomes PR:N (unauthenticated)
• Full host compromise: C:H/I:H/A:H — code execution in the Backup Exec Agent service context (typically LocalSystem or equivalent) provides full read/write access to all files on the host and the ability to install persistence, dump credentials, and laterally move through the network
• VTS21-001 chain endpoint: CVE-2021-27877 (auth bypass) → CVE-2021-27878 (command execution) = unauthenticated RCE on any host with a Backup Exec agent; this chain requires only network access to TCP port 10000 and no valid credentials
• Enterprise-wide impact: In large enterprises, Backup Exec agents are deployed on every protected server — including domain controllers, file servers, application servers, and database servers; a single exploit chain against a Backup Exec deployment can provide code execution on every machine in the backup scope

Discovery

Reported to Veritas and patched in VTS21-001 on March 1, 2021. The April 2023 CISA KEV addition followed incident investigations where ransomware operators used CVE-2021-27877 + CVE-2021-27878 to achieve remote code execution across enterprise environments via Backup Exec agent infrastructure — particularly targeting environments where Backup Exec agents were reachable from compromised internal network positions.

Exploitation Context

CVE-2021-27878 is the command execution endpoint of the most dangerous Backup Exec exploitation chain. When combined with CVE-2021-27877's authentication bypass, an attacker can achieve unauthenticated RCE on every host in an enterprise with a Backup Exec agent — potentially hundreds of servers — by targeting a single infrastructure port. Ransomware operators find this particularly valuable because: (1) it provides code execution on domain controllers and other high-value servers without additional exploitation, (2) it enables direct deployment of ransomware across the backup scope, and (3) it ensures backup destruction and primary system encryption occur simultaneously, maximizing the difficulty of recovery. ALPHV/BlackCat affiliates and other ransomware operators incorporated VTS21-001 exploitation into attack toolkits.

Remediation

1. Apply Veritas Backup Exec VTS21-001 patches for all installed Backup Exec versions immediately
2. Firewall TCP port 10000: restrict access to only the authorized Backup Exec server's IP address — this single control eliminates network exploitability even on unpatched agents
3. Patch all three VTS21-001 vulnerabilities together: CVE-2021-27877 (auth bypass), CVE-2021-27876 (file access), and CVE-2021-27878 (command execution)
4. Audit all hosts where Backup Exec agents are installed and verify TCP port 10000 is not accessible from unexpected network segments
5. Review Backup Exec agent logs for unexpected connections or unusual command patterns — legitimate backup operations follow predictable scheduled patterns
6. Maintain offline or immutable backup copies independent of Backup Exec agents to preserve recovery capability if agent-accessible backups are compromised