CVE-2005-2715

VERITAS NetBackup 4.5FP/4.5MP/5.0-6.0 - Remote Code Execution via Java UI Format String

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2005-2715. PoCs published by Kevin Finisterre.

AI-analyzed exploit summary This exploit targets a format string vulnerability in Veritas NetBackup on Windows systems, leveraging either PEB overwrites (Windows 2000/XP SP0/SP1) or SEH overwrites (Windows XP SP2) to achieve remote code execution. The payload includes shellcode designed to spawn a reverse shell.

Description

Format string vulnerability in the Java user interface service (bpjava-msvc) daemon for VERITAS NetBackup Data and Business Center 4.5FP and 4.5MP, and NetBackup Enterprise/Server/Client 5.0, 5.1, and 6.0, allows remote attackers to execute arbitrary code via the COMMAND_LOGON_TO_MSERVER command.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Kevin Finisterre · perlremotewindows_x86
https://www.exploit-db.com/exploits/1264

This exploit targets a format string vulnerability in Veritas NetBackup on Windows systems, leveraging either PEB overwrites (Windows 2000/XP SP0/SP1) or SEH overwrites (Windows XP SP2) to achieve remote code execution. The payload includes shellcode designed to spawn a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Veritas NetBackup (Win32)
No auth needed
Prerequisites: Network access to the target's NetBackup service (port 13722 by default) · Target system must be running a vulnerable version of Veritas NetBackup
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Kevin Finisterre · perlremoteosx
https://www.exploit-db.com/exploits/1265

This exploit targets a format string vulnerability in VERITAS NetBackup on OSX/ppc systems, leveraging a remote format string attack to execute a bind shell on port 5557. It uses a crafted payload to overwrite memory addresses and achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VERITAS NetBackup (OSX/ppc)
No auth needed
Prerequisites: Network access to the target system · VERITAS NetBackup service running on port 13722
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Kevin Finisterre · perlremotemultiple
https://www.exploit-db.com/exploits/1263

This exploit targets a format string vulnerability in VERITAS NetBackup on Linux/x86 systems. It leverages a remote code execution (RCE) via a crafted payload sent to port 13722, followed by a reverse shell connection to port 5570.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VERITAS NetBackup (Linux/x86)
No auth needed
Prerequisites: Network access to the target's VERITAS NetBackup service (port 13722) · Target system must be vulnerable to CVE-2005-2715
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Patch, Vendor Advisory x_refsource_confirm
http://www.symantec.com/avcenter/security/Content/2005.10.12.html
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17181
Patch, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/495556
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/15079
Patch vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015028
Patch vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102054-1

Scores

EPSS 0.6036
EPSS Percentile 99.0%

Details

Status published
Products (5)
symantec_veritas/netbackup_data_and_business_center 4.5fp
symantec_veritas/netbackup_data_and_business_center 4.5mp
symantec_veritas/netbackup_enterprise_server_client 5.0
symantec_veritas/netbackup_enterprise_server_client 5.1
symantec_veritas/netbackup_enterprise_server_client 6.0
Published Oct 12, 2005
Tracked Since Feb 18, 2026