CVE-2005-2611

EXPLOITED

VERITAS Backup Exec - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2005-2611 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Metasploit, hdm, Unknown, including a Metasploit module auxiliary/admin/backupexec/dump.

AI-analyzed exploit summary This Metasploit module exploits a logic flaw in Veritas Backup Exec Windows Agent to download arbitrary files from the system. It uses a hardcoded password for authentication and establishes a data connection to exfiltrate files in MTF format.

Description

VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec for NetWare Servers 9.0 and 9.1, and NetBackup for NetWare Media Server Option 4.5 through 5.1 uses a static password during authentication from the NDMP agent to the server, which allows remote attackers to read and write arbitrary files with the backup server.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · remotewindows
https://www.exploit-db.com/exploits/1147

This Metasploit module exploits a logic flaw in Veritas Backup Exec Windows Agent to download arbitrary files from the system. It uses a hardcoded password for authentication and establishes a data connection to exfiltrate files in MTF format.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Veritas Backup Exec Windows Agent (all known versions)
Auth required
Prerequisites: Network access to the NDMP port (default 10000) · Veritas Backup Exec Windows Agent running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by hdm, Unknown · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/backupexec/dump.rb

This Metasploit module exploits a logic flaw in Veritas Backup Exec Windows Agent to download arbitrary files via NDMP protocol using a backdoor password. The output is in MTF format, extractable with 'NTKBUp'.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Veritas Backup Exec Windows Agent (all versions)
Auth required
Prerequisites: Network access to NDMP port (10000) · Knowledge of target file paths
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA05-224A.html
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/14551
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/16403
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/378957
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2005/1387
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/21793
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1014662

Scores

EPSS 0.7963
EPSS Percentile 99.1%

Details

VulnCheck KEV 2005-08-12
Status published
Products (50)
symantec_veritas/backup_exec netware_servers_9.0.4019
symantec_veritas/backup_exec netware_servers_9.0.4170
symantec_veritas/backup_exec netware_servers_9.0.4172
symantec_veritas/backup_exec netware_servers_9.0.4174
symantec_veritas/backup_exec netware_servers_9.0.4202
symantec_veritas/backup_exec netware_servers_9.1.306
symantec_veritas/backup_exec netware_servers_9.1.307
symantec_veritas/backup_exec netware_servers_9.1.1067_.2
symantec_veritas/backup_exec netware_servers_9.1.1067_.3
symantec_veritas/backup_exec netware_servers_9.1.1127_.1
... and 40 more
Published Aug 17, 2005
Tracked Since Feb 18, 2026