CISA Adds Veeam Backup and Replication Bug to Known Exploited Vulnerability Catalog

US CISA has added two vulnerabilities affecting Veeam Backup & Replication software to its known exploited vulnerability catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has tracked two vulnerabilities affecting Veeam Backup & Replication software as CVE-2022-26500 and CVE-2022-26501 (CVSS 3.1 base score of 9.8), Added to known exploited vulnerabilities catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, the FCEB agency will address identified vulnerabilities by the deadline to protect networks from attacks that exploit catalog flaws. need to do it.

Experts recommend that private organizations also review the catalog and address vulnerabilities in their infrastructure.

Veeam Distribution Service, a Backup & Replication application, allows unauthenticated users to access internal API functions, according to the agency. A remote attacker could exploit this vulnerability by sending input to an internal API to execute arbitrary code.

“Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication could allow remote execution of malicious code without authentication, giving you control over the target system. It is possible.” Please read the advisory issued by Veeam.

This flaw affects Backup & Replication product versions 9.5, 10, and 11. A patch is available for the following versions:

Both issues were discovered by Positive Technologies researcher Nikita Petrov.

“We believe that these vulnerabilities will be exploited in real-world attacks, putting many organizations at significant risk,” said Nikita Petrov. “It is therefore important to install updates as soon as possible, or at least take steps to detect any unusual activity associated with these products.“

CISA mandates federal agencies to address both vulnerabilities by January 3, 2022.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also added the following issues to its catalog:

• CVE-2022-42475 – Fortinet FortiOS heap-based buffer overflow vulnerability to be addressed on January 3, 2022.
• CVE-2022-44698 – Microsoft Defender SmartScreen security feature bypass vulnerability to be addressed on January 3, 2022.
• CVE-2022-27518 – Citrix Application Delivery Controller (ADC) and gateway authentication bypass vulnerabilities to be addressed on January 3, 2022.
• CVE-2022-42856 – Apple iOS Confusion Vulnerability to be addressed on January 4, 2022.

Follow me on Twitter: @Security Affairs When Facebook When Mastodon