CVE-2022-26501
Published: 17 March 2022
Summary
CVE-2022-26501 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
Veeam Backup & Replication versions 10.x and 11.x contain an incorrect access control vulnerability tracked as CWE-306. The flaw permits unauthenticated network access to critical functions and carries a CVSS 3.1 base score of 9.8, reflecting full impact on confidentiality, integrity, and availability when exploited over the network without credentials or user interaction.
An attacker with network reachability can leverage the missing authentication to interact directly with protected backup components, enabling arbitrary actions that could result in complete compromise of backup data and infrastructure. Because the vulnerability requires no privileges or user interaction, remote exploitation is possible against any exposed installation.
Veeam has published remediation guidance in KB4288, and the issue appears in CISA’s catalog of known exploited vulnerabilities, indicating that official patches or configuration changes should be applied promptly to affected deployments. The associated EPSS score has reached 0.7540, consistent with observed in-the-wild exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31059
Vulnerability details
Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).
- CWE(s)
- KEV Date Added
- 13 December 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations for logical access to the Veeam backup service, blocking the unauthenticated bypass described in CVE-2022-26501.
Requires unique identification and authentication of users before allowing access to the backup infrastructure, eliminating the no-privilege remote exploitation path.
Establishes usage restrictions, authentication requirements, and connection protections for remote access to Veeam components, limiting exposure to the network attack vector.