CISA is alerting that Veeam versions 9.5, 10, and 11 contain 2 critical vulnerabilities that are actively being exploited in the wild. The two vulnerabilities, listed as CVE-2022-26500 and CVE-2022-26501, are both rated 9.8 on the CVSS scoring system and can be leveraged to gain control of a system. Veeam released advisories for these in March 2022 and has since released patches for both vulnerabilities, as long as you are on versions 10 or 11. If you are on version 9.5 the only fix is to upgrade to a supported version, then patch to version 10a or 11a.
The vulnerabilities are a result of the Veeam Distribution Service allowing unauthenticated users to access internal API functions. This would allow a remote attacker to send input to the service leading to uploading and executing malicious code.
As always, perform a threat-hunt to ensure that you’ve not been compromised, a patch does not fix a past compromise where an attacker left persistence mechanisms behind.
Link to CISA alert https://thehackernews.com/2022/12/cisa-alert-veeam-backup-and-replication.html
Link to Veeam advisories including links to patches https://www.veeam.com/kb4288
