Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVeeam Backup \& Replication
APPVeeam10.0.1.485411.0.1.126110.0.0.4442 – 10.0.1.4854 (bez)11.0.0.825 – 11.0.1.1261 (bez)
CISA KEV — detailsi
- Vendori
- Veeam
- Producti
- Backup & Replication
- Added to KEVi
- December 13, 2022
- Remediation deadline (US Federal)i
- January 3, 2023(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Required action (CISA)i
Apply updates per vendor instructions.
CISA descriptioni
The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may lead to uploading and executing of malicious code.
🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARE⏰CISA DEADLINE: 3 stycznia 2023
Related vulnerabilities
CVE-2024-40711CRITICAL9.8⚠ KEVPL ✓ten sam produkt
Krytyczne RCE przez deserialization w Veeam Backup & Replication
CVE-2026-21669CRITICAL9.9PL ✓ten sam produkt
RCE w Veeam Backup & Replication dla uwierzytelnionych użytkowników domenowych
CVE-2026-21666CRITICAL9.9PL ✓ten sam produkt
RCE dla uwierzytelnionego użytkownika domenowego w Veeam Backup & Replication
CVE-2026-21667CRITICAL9.9PL ✓ten sam produkt
RCE w Veeam Backup & Replication dla uwierzytelnionego użytkownika domenowego
CVE-2026-21671CRITICAL9.1PL ✓ten sam produkt
RCE dla administratora kopii zapasowych w Veeam Backup & Replication (HA)