CVE-2022-26501

What is Veeam Backup & Replication?

Veeam Backup & Replication is the market-leading enterprise backup and data recovery platform, used by hundreds of thousands of organizations worldwide to protect VMware, Hyper-V, physical servers, and cloud workloads. It is a critical component of disaster recovery infrastructure. For ransomware operators, Veeam is an extremely high-value target: compromising backup infrastructure enables attackers to delete or encrypt backup repositories before deploying ransomware, eliminating the victim's ability to recover without paying the ransom.

Overview

CVE-2022-26501 is a critical missing authentication vulnerability (CWE-306) in the Veeam Distribution Service component of Veeam Backup & Replication. The Veeam Distribution Service (which listens on TCP port 9380 by default) provides internal API functions accessible without authentication, allowing a remote attacker to upload and execute arbitrary code on the Veeam backup server. CVSS 9.8, with ransomwareUse: true. The 9-month gap between patch (March 2022) and KEV addition (December 2022) indicates ransomware operators were actively targeting unpatched Veeam installations to sabotage backup recovery before deploying ransomware.

Affected Versions

Technical Details

The Veeam Distribution Service is an internal component responsible for distributing Veeam software and components to protected hosts. In affected versions, this service's network listener (TCP port 9380) accepts and processes API requests without requiring authentication.

The unauthenticated API exposes internal functions including the ability to:

• Upload arbitrary files to the Veeam server
• Execute uploaded files with the privileges of the Veeam service (typically SYSTEM or a high-privilege service account)

An attacker with network access to the Veeam server can:

1. Connect to TCP port 9380
2. Send API requests to upload a malicious executable
3. Trigger execution of the uploaded file
4. Achieve SYSTEM-level code execution on the Veeam backup server

Veeam backup servers are high-privilege systems by design — they require elevated access to connect to protected workloads for backup jobs, making them valuable lateral movement targets.

Discovery

Discovered by security researchers and reported to Veeam's security team. Veeam published their patch in March 2022. Active exploitation by ransomware operators was confirmed by December 2022.

Exploitation Context

Ransomware operators have made backup infrastructure a priority target in double-extortion campaigns. By compromising Veeam backup servers, attackers can:

1. Map backup repositories: Identify what data is backed up and where repositories are stored
2. Delete or encrypt backup repositories: Eliminate the victim's ability to restore without paying
3. Exfiltrate backup data: Backup repositories contain snapshots of production data — valuable for exfiltration
4. Pivot to protected systems: Veeam's service credentials provide authenticated access to every system it backs up

Known ransomware groups that specifically targeted Veeam infrastructure include FIN7 and multiple ransomware-as-a-service operators. The pattern of waiting 9 months to add to KEV reflects continued exploitation of organizations running unpatched Veeam installations — a common issue given Veeam's complexity and change-management requirements for backup system updates.

Remediation

1. Patch Veeam immediately: Update to Veeam Backup & Replication 11.0.1.1261 P20220302 or 10.0.1.4854 P20220304.
2. Firewall Veeam service ports: Restrict access to Veeam's internal service ports (9380, 9401, 9395, 9396, and others) to the Veeam server itself and authorized management workstations — never internet-accessible.
3. Network segmentation: Place Veeam backup servers on a dedicated backup VLAN isolated from general production networks.
4. Verify repository integrity: After patching, verify backup repository contents have not been tampered with or deleted.
5. Privileged account review: Audit the service accounts used by Veeam for lateral movement indicators — check for unauthorized authentications to protected hosts.
6. Implement 3-2-1 backup strategy: Maintain offline or air-gapped backup copies that cannot be reached from the network even if the primary Veeam server is compromised.