Cyber Resilience

CVE-2022-26501

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 17 March 2022

Published
17 March 2022
Modified
03 November 2025
KEV Added
13 December 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7540 98.9th percentile
Risk Priority 85 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26501 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

Veeam Backup & Replication versions 10.x and 11.x contain an incorrect access control vulnerability tracked as CWE-306. The flaw permits unauthenticated network access to critical functions and carries a CVSS 3.1 base score of 9.8, reflecting full impact on confidentiality, integrity, and availability when exploited over the network without credentials or user interaction.

An attacker with network reachability can leverage the missing authentication to interact directly with protected backup components, enabling arbitrary actions that could result in complete compromise of backup data and infrastructure. Because the vulnerability requires no privileges or user interaction, remote exploitation is possible against any exposed installation.

Veeam has published remediation guidance in KB4288, and the issue appears in CISA’s catalog of known exploited vulnerabilities, indicating that official patches or configuration changes should be applied promptly to affected deployments. The associated EPSS score has reached 0.7540, consistent with observed in-the-wild exploitation activity.

EU & UK References

Vulnerability details

Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).

CWE(s)
KEV Date Added
13 December 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

veeam
veeam backup \& replication
10.0.1.4854, 11.0.1.1261 · 10.0.0.4442 — 10.0.1.4854 · 11.0.0.825 — 11.0.1.1261

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for logical access to the Veeam backup service, blocking the unauthenticated bypass described in CVE-2022-26501.

prevent

Requires unique identification and authentication of users before allowing access to the backup infrastructure, eliminating the no-privilege remote exploitation path.

AC-17 Remote Access partial match
prevent

Establishes usage restrictions, authentication requirements, and connection protections for remote access to Veeam components, limiting exposure to the network attack vector.

References