Cyber Resilience

CVE-2021-27878

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 01 March 2021

Published
01 March 2021
Modified
03 November 2025
KEV Added
07 April 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0109 78.3th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-27878 is a high-severity an unspecified weakness vulnerability in Veritas Backup Exec. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 21.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).

Deeper analysis

CVE-2021-27878 affects Veritas Backup Exec versions prior to 21.2. The flaw resides in the SHA Authentication scheme used for client-to-Agent communication. Although the protocol is intended to run over TLS, the authentication mechanism can be bypassed, allowing an unauthenticated network attacker to complete the handshake and establish an authenticated session.

Once the session is established, the attacker can issue arbitrary data management protocol commands. These commands execute with system-level privileges on the target host, resulting in full remote code execution. The vulnerability carries a CVSS 3.1 score of 8.8, reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

Veritas security advisory VTS21-001 addresses the issue and recommends upgrading to Backup Exec 21.2 or later. The flaw appears in the CISA Known Exploited Vulnerabilities catalog, and public exploit code has been published on PacketStorm, confirming active interest from attackers.

EU & UK References

Vulnerability details

An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme,…

more

an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The attacker could use one of these commands to execute an arbitrary command on the system using system privileges.

CWE(s)
KEV Date Added
07 April 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

veritas
backup exec
≤ 21.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations so that only properly authenticated clients may issue data-management commands to the Backup Exec Agent.

prevent

Requires the Agent service to identify and authenticate connecting clients before allowing any protocol commands, blocking the SHA-scheme bypass.

prevent

Protects the authenticity of the client-Agent session so an attacker cannot establish a usable authenticated channel after bypassing the flawed SHA mechanism.

References