CVE-2022-26500

What is Veeam Backup & Replication?

Veeam Backup & Replication is one of the most widely deployed enterprise backup solutions, used to protect virtual machines (VMware vSphere, Microsoft Hyper-V), physical servers, and cloud workloads. Because backup infrastructure has privileged access to all protected systems — including domain controllers, file servers, and databases — it is an extremely high-value ransomware target. Compromising a Veeam server can give attackers access to backup data for exfiltration, the ability to delete backups to eliminate recovery options, and credentials used for backup agent connections across the environment.

Overview

CVE-2022-26500 is a remote code execution vulnerability in the Veeam Distribution Service, a component of Veeam Backup & Replication. The Distribution Service (TCP port 9380) exposes an internal API that lacks proper authentication, allowing unauthenticated network-accessible users to call internal API methods — including those that can upload and execute arbitrary code on the Veeam server. Ransomware groups actively exploited this vulnerability to both steal backup data and destroy backups as part of double-extortion campaigns.

Affected Versions

Technical Details

The Veeam Distribution Service runs on TCP port 9380 as part of the backup management infrastructure. The vulnerability exists because this service does not enforce authentication before allowing clients to invoke internal API operations.

• Attack vector: Network — the service is accessible from any host that can reach port 9380
• Authentication required: Low/None — the CVSS score reflects minimal authentication requirements; the Distribution Service API was accessible without proper credentials
• Impact: Arbitrary code upload and execution on the Veeam backup server with high privileges
• Attack path: Enumerate Veeam server → connect to port 9380 → call upload/execute API → deploy web shell or ransomware payload
• Backup destruction: After achieving RCE, ransomware operators routinely delete or encrypt Veeam backup databases and repositories to prevent victim recovery, maximizing ransom leverage

Also tracked: CVE-2022-26501 (similar RCE in Veeam, same patch).

Discovery

Reported to Veeam by Positive Technologies researchers. Veeam patched in March 2022; CISA added to KEV in December 2022 following confirmed ransomware exploitation.

Exploitation Context

Veeam vulnerabilities are a consistent ransomware target because backup servers have privileged access across the entire environment. Ransomware groups (Cuba ransomware, FIN7-linked actors) exploited CVE-2022-26500 to achieve initial access or lateral movement into backup infrastructure, then stole backup data, deleted backup chains, and deployed ransomware — maximizing the difficulty of recovery and strengthening extortion leverage.

Remediation

1. Upgrade to Veeam Backup & Replication 10.0.1.4854 P20220304 or 11.0.1.1261 P20220302 (or later) per KB4288
2. Restrict network access to Veeam ports (9380, 9392, 9393, 9401, 9501) to trusted management hosts only — these ports should never be internet-facing
3. Apply network segmentation so backup infrastructure is isolated from general office and user networks
4. Audit Veeam configuration for unauthorized job modifications, backup deletions, or added credentials
5. Ensure backup copies are stored in immutable storage (Veeam's immutable backup repository feature or air-gapped offline copies) to survive ransomware deletion attempts