← back
CVE-2022-26500

CVE-2022-26500

CVSS 8.8 HIGHEPSS 5.9%● KEVCWE-22
In short

A security flaw in Veeam Backup & Replication allows authenticated users to bypass path restrictions and access internal API functions, enabling them to upload and run malicious code on the system.

Technical detail

Improper path validation (CWE-22) in Veeam Backup & Replication 9.5U3-U4, 10.x, and 11.x permits authenticated remote attackers to circumvent access controls on internal API endpoints, facilitating arbitrary code upload and execution with elevated privileges.

Summary generated and translated by AI from the official description.
Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://veeam.comhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26500https://www.veeam.com/kb4288