Cyber Resilience

CVE-2021-27877

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 01 March 2021

Published
01 March 2021
Modified
03 November 2025
KEV Added
07 April 2023
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.4034 97.4th percentile
Risk Priority 61 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-27877 is a high-severity an unspecified weakness vulnerability in Veritas Backup Exec. Its CVSS base score is 8.2 (High).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).

Deeper analysis

CVE-2021-27877 affects Veritas Backup Exec versions prior to 21.2. The product retained support for an unused SHA authentication scheme that had been superseded in current releases but was never disabled, leaving the Backup Exec Agent exposed to remote authentication abuse.

An unauthenticated remote attacker can exploit the scheme over the network to obtain unauthorized access to an Agent instance and execute privileged commands, resulting in high confidentiality impact and limited integrity impact according to the CVSS 8.2 vector.

The vendor advisory VTS21-001 and associated patches direct customers to upgrade to Backup Exec 21.2 or later to remove the legacy authentication path. Public exploit code has been published, and the vulnerability appears in the CISA Known Exploited Vulnerabilities catalog.

EU & UK References

Vulnerability details

An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An…

more

attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.

CWE(s)
KEV Date Added
07 April 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

veritas
backup exec
≤ 21.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires disabling or restricting the unused SHA authentication scheme that remained enabled in Backup Exec Agent.

prevent

Enforces that only valid, current authentication mechanisms may grant access to the Agent, blocking exploitation of the legacy SHA path.

prevent

Requires management and disabling of obsolete authenticator types/schemes no longer intended for use.

References