CVE-2022-26500
Published: 17 March 2022
Summary
CVE-2022-26500 is a high-severity Path Traversal (CWE-22) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2022-26500 is a path traversal vulnerability (CWE-22) affecting Veeam Backup & Replication versions 9.5U3, 9.5U4, 10.x, and 11.x. The flaw stems from improper limitation of path names, which exposes internal API functions and permits remote authenticated users to upload and execute arbitrary code on affected systems. It carries a CVSS 3.1 base score of 8.8.
Remote authenticated attackers can exploit the issue over the network without user interaction to achieve full control over the backup server, including arbitrary code execution with high impact to confidentiality, integrity, and availability. The attack requires valid credentials but no special privileges beyond authentication.
Veeam advisory KB4288 and the vendor site describe available patches and configuration guidance for the listed product versions. CISA has added the CVE to its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.
The EPSS score reached a peak of 0.2386 with a current value of 0.1903, reflecting a moderate rise in observed exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31058
Vulnerability details
Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.
- CWE(s)
- KEV Date Added
- 13 December 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of path-name inputs to block the traversal that exposes internal APIs.
Enforces access-control decisions so authenticated users cannot reach restricted internal API functions.
Limits privileges of authenticated accounts to the minimum needed, reducing the ability to upload or execute code via the exposed APIs.