|Category: Vulnerability Intelligence||Vulnerability Class: Remote Code Execution||CVE ID: CVE-2022-26500 CVE-2022-26501 CVE-2022-26504||CVSS:3.0 Score: 8.8 to 9.8|
- CloudSEK’s contextual AI digital risk platform XVigil has analyzed several critical and high-severity vulnerabilities affecting Veeam Backup & Replication.
- Several threat actors were seen advertising the fully weaponized tool for remote code execution to exploit the following vulnerabilities affecting Veeam Backup & Replication:
- CVE-2022-26500 and CVE-2022-26501 with a CVSS V3 score of 9.8
- CVE-2022-26504 with a CVSS V3 score of 8.8
- A successful exploitation of the above-mentioned CVEs can lead to:
- Copying files within the boundaries of the locale or from a remote SMB network
- RCE without authorization ('Network Service' rights)
- RCE/LPE without authorization ('Local System' rights)
- Veeam Backup & Replication is a proprietary backup app for virtual environments built on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V hypervisors.
- In addition to backing up and recovering VMs, it can protect and restore individual files and applications for environments such as Exchange and SharePoint.
- Remote Code Execution vulnerability in Veeam Distribution Service
- The Veeam distribution service, which uses TCP 9380 with default settings, allows threat actors who are not authenticated to access internal API functions.
- This component allows threat actors to execute malicious code remotely without authentication.
- Remote Code Execution vulnerability in Veeam Backup PSManager
- The Veeam process.Backup.PSManager.exe using TCP 8732 with default settings, allows threat actors that are not administrators to authenticate using domain credentials.
- This vulnerability allows domain attackers to execute malicious code remotely by attacking vulnerable components leading to gaining control of the system.
- It contained scripts for recovering passwords from the Veeam Backup and Replication credential manager.
- The repository had the following 3 files:
- Veeam-Get-Creds.ps1 - PowerShell script for getting and decrypting accounts directly from the Veeam's database.
- VeeamGetCreds.yaml -PowerShell Empire module with adapted Veeam-Get-Creds.ps1 script.
- Veampot.py - Python script to emulate vSphere responses to retrieve stored credentials from Veeam.
- A malware named “Veeamp” was found in the wild being used by following two ransomware groups to dump credentials from a SQL database for Veeam backup management software.
- Monti Ransomware
- Yanluowang Ransomware
- The malware file is a 32-bit .NET binary that attempts to connect with a SQL database named VeeamBackup upon launching and runs the following command: select ,, FROM ..
- The credential dumper named “Veeamp.exe” after successful decryptions, prints the following in order:
- Encrypted Password
- Decrypted Password
- #Traffic Light Protocol - Wikipedia
- Collection of scripts to retrieve stored passwords from Veeam Backup