CVE-2022-26501

CRITICAL KEV RANSOMWARE

Veeam Backup & Replication <11.x - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2022-26501 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 13, 2022, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit.

AI-analyzed exploit summary This repository contains a functional Go-based client for exploiting CVE-2022-26501, a vulnerability in Veeam Distribution Service. It includes tools for copying and downloading files from Veeam servers (v10 and v11) by leveraging NTLMSSP authentication and SCP-based file transfer.

Description

Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).

Exploits (1)

vulncheck_xdb WORKING POC

remote

https://github.com/LeakIX/veeam-ds-client

View Code ZIP pw:eip

This repository contains a functional Go-based client for exploiting CVE-2022-26501, a vulnerability in Veeam Distribution Service. It includes tools for copying and downloading files from Veeam servers (v10 and v11) by leveraging NTLMSSP authentication and SCP-based file transfer.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Veeam Distribution Service v10 and v11

No auth needed

Prerequisites: Network access to Veeam Distribution Service (port 9380) · SCP server for file download functionality

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_misc

https://veeam.com

Vendor Advisory x_refsource_misc

https://www.veeam.com/kb4288

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26501

Scores

CVSS v3 9.8

EPSS 0.0428

EPSS Percentile 89.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-12-13

VulnCheck KEV 2022-10-24

InTheWild.io 2022-12-13

ENISA EUVD EUVD-2022-31059

Ransomware Use Confirmed

CWE

CWE-306

Status published

Products (3)

veeam/veeam_backup_\&_replication 10.0.1.4854 (3 CPE variants)

veeam/veeam_backup_\&_replication 11.0.1.1261 (3 CPE variants)

veeam/veeam_backup_\&_replication 10.0.0.4442 - 10.0.1.4854

Published Mar 17, 2022

KEV Added Dec 13, 2022

Tracked Since Feb 18, 2026