CVE-2022-26500

HIGH KEV RANSOMWARE

Veeam Backup & Replication <11.x - Code Injection

Title source: llm

Description

Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.

References (3)

Scores

CVSS v3 8.8
EPSS 0.1903
EPSS Percentile 95.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-12-13
VulnCheck KEV 2022-10-24
InTheWild.io 2022-12-13
ENISA EUVD EUVD-2022-31058
Ransomware Use Confirmed
CWE
CWE-22
Status published
Products (5)
veeam/veeam_backup_\&_replication 9.5.0.1536
veeam/veeam_backup_\&_replication 9.5.4.2615
veeam/veeam_backup_\&_replication 10.0.1.4854 (3 CPE variants)
veeam/veeam_backup_\&_replication 11.0.1.1261 (3 CPE variants)
veeam/veeam_backup_\&_replication 10.0.0.4442 - 10.0.1.4854
Published Mar 17, 2022
KEV Added Dec 13, 2022
Tracked Since Feb 18, 2026