CVE-2017-8895

CRITICAL

Veritas Backup Exec <16 FP1 - Use After Free

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-8895. PoCs published by Metasploit, Matthew Daley, including Metasploit module exploits/windows/backupexec/ssl_uaf.

AI-analyzed exploit summary This Metasploit module exploits a use-after-free vulnerability (CVE-2017-8895) in Veritas/Symantec Backup Exec's NDMP SSL handling. It achieves remote code execution by manipulating SSL sessions to trigger memory corruption, bypassing mitigations like NX, ASLR, and anti-ROP on Windows 8+.

Description

In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/42282

This Metasploit module exploits a use-after-free vulnerability (CVE-2017-8895) in Veritas/Symantec Backup Exec's NDMP SSL handling. It achieves remote code execution by manipulating SSL sessions to trigger memory corruption, bypassing mitigations like NX, ASLR, and anti-ROP on Windows 8+.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Veritas/Symantec Backup Exec (14.1, 14.2, 16.0)
No auth needed
Prerequisites: Network access to NDMP port (10000) · Vulnerable Backup Exec version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Matthew Daley · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/backupexec/ssl_uaf.rb

This Metasploit module exploits a use-after-free vulnerability (CVE-2017-8895) in Veritas/Symantec Backup Exec's Remote Agent for Windows. It leverages SSL NDMP connection handling to achieve remote code execution as NT AUTHORITY\SYSTEM by bypassing NX, ASLR, and anti-ROP mitigations.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Veritas/Symantec Backup Exec (14.1, 14.2, 16.0)
No auth needed
Prerequisites: Network access to the Backup Exec Remote Agent (port 10000) · Vulnerable version of Backup Exec (14.1, 14.2, or 16.0)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98386
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038561
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42282/

Scores

CVSS v3 9.8
EPSS 0.7100
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (1)
veritas/backup_exec < 14.1.1786.1126
Published May 10, 2017
Tracked Since Feb 18, 2026